code423n4 commented 12 months ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L988 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L480-L482

Vulnerability details

Impact

Anyone can delegate someone elses balance to the sponsorship address, increasing their own likelihood of winning, while voiding the victims chance.

Proof of Concept

The issue is in the call-chain starting with Vault.sponsor:

//Vault
function sponsor(uint256 _assets, address _receiver) external returns (uint256) {
    return _sponsor(_assets, _receiver);
}

function _sponsor(uint256 _assets, address _receiver) internal returns (uint256) {
uint256 _shares = deposit(_assets, _receiver);

if (
    _twabController.delegateOf(address(this), _receiver) != _twabController.SPONSORSHIP_ADDRESS()
) {
    _twabController.sponsor(_receiver);
}

//TwabController
function sponsor(address _from) external {
    _delegate(msg.sender, _from, SPONSORSHIP_ADDRESS);
}

function _delegate(address _vault, address _from, address _to) internal {
    address _currentDelegate = _delegateOf(_vault, _from);

    ...

    _transferDelegateBalance(
      _vault,
      _currentDelegate,
      _to,
      uint96(userObservations[_vault][_from].details.balance)
    );

Essentially anyone can call Vault.sponsor to deposit any amount of assets (even 0) to any receiver and the TwabController will then re-delegate the whole balance from the current delegate of the receiver to the SPONSORSHIP_ADDRESS.

Tools Used

Manual Review

Recommended Mitigation Steps

Sponsoring should be restricted to msg.sender as receiver

Assessed type

Invalid Validation

c4-judge commented 12 months ago

Picodes marked the issue as duplicate of #393

c4-judge commented 11 months ago

Picodes marked the issue as satisfactory

code-423n4 / 2023-07-pooltogether-findings

Sponsor function allows voiding some elses chance to win #461