c4-judge
commented
1 year ago Picodes marked the issue as primary issue
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as primary issue
Picodes
commented
1 year ago See also https://github.com/code-423n4/2023-07-pooltogether-findings/issues/6. Regrouping here issues about prb-maths, the main one being the above.
c4-sponsor
commented
1 year ago asselstine marked the issue as sponsor confirmed
c4-judge
commented
1 year ago Picodes changed the severity to 2 (Med Risk)
c4-judge
commented
1 year ago Picodes marked issue #395 as primary and marked this issue as a duplicate of 395
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
c4-judge
commented
1 year ago Picodes marked the issue as selected for report
asselstine
commented
1 year ago
Lines of code
Vulnerability details
The
DrawAccumulatorLib.solandTierCalculationLib.sollibraries inherit a version ofPRBMaththat contains a critical vulnerability in thepow()function, which can return inconsistent values. This vulnerability is of great importance to the PoolTogether protocol, as thepow()function is used in the computation ofTierCalculationLib.getTierOddsandDrawAccumulatorLib.computeC. Recently, another protocol has also experienced the same bug, and the creators of thePRBMathhave acknowledged this situation. Here is the corresponding link. Due to time constraints, we were unable to thoroughly address certain rounding errors withmulanddivfunctions of SD59x18. However, these errors have been corrected in PRBMath V4.Impact
PRBMath
pow()function can return inconsistent valuesProof of Concept
Proof of the bug acknowledgment by the creator of the PRBMath
This PR makes four significant changes:Tools Used
Manual review
Recommended Mitigation Steps
To mitigate this issue, please update the contracts to
0.8.19and upgrade thePRBMathto versionV4.Assessed type
Math