c4-pre-sort
commented
6 months ago raymondfam marked the issue as sufficient quality report
Closed c4-bot-6 closed 6 months ago
c4-pre-sort
commented
6 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
6 months ago raymondfam marked the issue as duplicate of #17
c4-pre-sort
commented
6 months ago raymondfam marked the issue as duplicate of #51
c4-judge
commented
6 months ago hansfriese marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L524-L546
Vulnerability details
Impact
The
depositWithPermitfunction will revert transactions for tokens like stETH that lack EIP-2612 permit functionality, limiting its current usability.Proof of Concept
User attempts to call
depositWithPermitwith stETH, providing necessary parameters including signature components (v, r, s) and _deadline.The function attempts to execute IERC20Permit(address(_asset)).permit(...), expecting the asset to have a permit function as per EIP-2612. stETH does not implement permit, so this call will not find the appropriate function to execute. stETH fallback function is triggered due to the absence of the permit function.
stETH's fallback function is not designed to handle this type of call, resulting in a transaction revert.
Same Issue
Harvest finance gives a yield on stETH
Tools Used
Manual Review
Recommended Mitigation Steps
Consider implementing a wrapper or adapter for stETH to provide permit functionality, or use wrapped stETH (wstETH) that already has it.
Assessed type
Error