There is no check that after minting a new token the total supply
Proof of Concept
PrizeVault.sol
function totalSupply() public view virtual override(ERC20) returns (uint256) {
return twabController.totalSupply(address(this));
}
function maxDeposit(address) public view returns (uint256) {
...
uint256 _totalSupply = totalSupply();
uint256 twabSupplyLimit_ = _twabSupplyLimit(_totalSupply);
...
}
function _twabSupplyLimit(uint256 _totalSupply) internal pure returns (uint256) {
unchecked {
return type(uint96).max - _totalSupply;
}
}
So here there will be a problem if twabController.totalSupply(address(this)); will return a value higher than type(uint96).max, _twabSupplyLimit will always revert
But In TwabController.sol(OOS) there are no limitations while minting new tokens, so at some point there might be a case when the balance of a token on Vault will be higher than uint96Max.
Tools Used
Manual review
Recommended Mitigation Steps
Add a custom error, or take in case such a scenario
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/TwabERC20.sol#L77
Vulnerability details
Impact
There is no check that after minting a new token the total supply
Proof of Concept
PrizeVault.sol
So here there will be a problem if
twabController.totalSupply(address(this));
will return a value higher than type(uint96).max,_twabSupplyLimit
will always revertBut In
TwabController.sol
(OOS) there are no limitations while minting new tokens, so at some point there might be a case when the balance of a token on Vault will be higher thanuint96Max
.Tools Used
Manual review
Recommended Mitigation Steps
Add a custom error, or take in case such a scenario
Assessed type
Math