search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

Any user's chances to win can be revoked by anyone #292

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L988

Vulnerability details

Impact

Anyone can revoke the chances to win for any other user. A malicious actor can use the vulnerability to exclude big depositors from the draws, thus increasing the malicious actor's chances to win prizes.

Proof of Concept

The Vault.sponsor function allows the caller to:

  1. deposit funds into the yield vault (Vault.sol#L983): 
    uint256 _shares = deposit(_assets, _receiver);
  2. and delegate all their funds to the sponsorship address (Vault.sol#L985-L989): 
    if (
    _twabController.delegateOf(address(this), _receiver) != _twabController.SPONSORSHIP_ADDRESS()
) {
    _twabController.sponsor(_receiver);
}

As per the definition of the sponsorship address (TwabController.sol#L23-L24):

Allows users to revoke their chances to win by delegating to the sponsorship address.

The vulnerability is that the sponsor function can be called on any address, without the address' owner permission. A malicious actor can call the sponsor address with the amount of assets set to 0 (or 1 wei) and the receiver address set to the address of a whale (the top holder of shares). _twabController.sponsor will be called with the whale's address, and all their shares will be delegated to the sponsorship address, thus completely preventing the whale from participating in draws.

As can be seen from the _transferDelegateBalance function, when delegating to the sponsorship address, the delegated balance of the user and the total supply is decreased. This will create a new observation with the delegate balance of the whale set to 0. The TWAB of a user is the most important metric when determining if the user is a winner in a draw or not. Thus, by delegating user's balance to the sponsorship address, the TWAB of the user will be reduced, thus reducing their chances to win draws. Since the sponsor function can be called on any address, it can also be used to un-delegate all the tokens delegated to the victim, to reduce the victim's delegated balance to 0 and totally exclude them from competing for draws.

Tools Used

Manual review

Recommended Mitigation Steps

In the Vault.sponsor and Vault.sponsorWithPermit functions, consider setting the receiver parameter to msg.sender and consider disallowing the caller to specify it.

Assessed type

Other

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #393

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory