Closed c4-bot-6 closed 5 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Incorrect assumption. _depositAndMint is atomic. If the maxDeposit is hit, the function will just revert and no deposit of assets is possible.
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L865-L866
Vulnerability details
Impact
After users deposit into the
PrizeVault
contract their deposit is then transferred toyieldVault
, however ifyieldVault
has reached the maximum deposit limit, the transferred tokens will stay inside thePrizeVault
contract risk-free and withdrawable at all time. The problem is that they will have shares ofPrizeVault
and according to the documentation - "In order for users to be eligible to win prizes, their balances must be tracked in the Twab Controller". This means that users that didn't deposit into the yield vault will still be eligible for prizes because their balance in the Twab Controller is positive.Proof of Concept
Here is how the user can perform this: (This depends on the implementation of the
yieldVault
and if it reverts on a zero deposit)Let's look at the example in which the yield vault does allow a zero deposit
yieldVault.maxDeposit
and sees that the vault reached the deposit limitPizeVault::deposit
with let's say 100e18 tokensPrizeVault
tries to deposit the tokens into the yield vault but since the deposit limit is reached it does nothing and returns 0 as the deposit is not acceptedPrizeVault
, making him eligible for prizesLet's look at the example in which the yield vault does NOT allow a zero deposit
yieldVault.maxDeposit
and sees that the vault's max deposit is 10e18 (10e18 tokens are left until the limit is reached)PizeVault::deposit
with 100e18 tokensPrizeVault
deposits only 10e18 tokens and the rest 90e18 tokens are stored in thePrizeVault
. This way a user is only risking 10e18 tokens but eligible for larger rewards since he gets minted 100e18 sharesTools Used
Manual Review
Recommended Mitigation Steps
Make it such that users cannot deposit more than
PrizeVault::maxDeposit
. Add the check in the deposit and mint functionAssessed type
ERC4626