c4-pre-sort
commented
8 months ago raymondfam marked the issue as insufficient quality report
Closed c4-bot-10 closed 8 months ago
c4-pre-sort
commented
8 months ago raymondfam marked the issue as insufficient quality report
raymondfam
commented
8 months ago Known Yield Vault Compatibility Issues:
Additionally, this has been reported by the bot: [M-01] Contracts are vulnerable to rebasing accounting-related issues
c4-pre-sort
commented
8 months ago raymondfam marked the issue as primary issue
c4-judge
commented
8 months ago hansfriese marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L854
Vulnerability details
Impact
safeTransferFrom does not verify whether the expected value was transferred. In cases where tokens incur a fee, the transferred amount may be less than expected. Additionally, the product contracts assume that the received amount equals the inputted amount. Consequently, the custodian contract may hold fewer tokens than anticipated, potentially leading to inaccuracies in product accounting.
Rebasing tokens, such as Aave aTokens, increment each holder's balanceOf() over time. In scenarios involving rebasing tokens, rewards accumulate in the contract holding the tokens and cannot be withdrawn by the original depositor. To mitigate this issue, it's crucial to track 'shares' deposited on a pro-rata basis. This approach allows shares to be redeemed for their proportion of the current balance at the time of withdrawal.
Proof of Concept
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L854C10-L859C1
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVaultFactory.sol#L118C1-L119C1
Assessed type
Invalid Validation