search

code-423n4 / 2024-03-pooltogether-findings

5 stars 4 forks source link

No written limitations on a total supply, that should not be higher than uint96max value #334

Closed c4-bot-5 closed 5 months ago

c4-bot-5 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/TwabERC20.sol#L77

Vulnerability details

Impact

There is no check that after minting a new token the total supply

Proof of Concept

PrizeVault.sol

function totalSupply() public view virtual override(ERC20) returns (uint256) {
        return twabController.totalSupply(address(this));
}
function maxDeposit(address) public view returns (uint256) {
   ...
   uint256 _totalSupply = totalSupply();
   uint256 twabSupplyLimit_ = _twabSupplyLimit(_totalSupply);
   ...
}
function _twabSupplyLimit(uint256 _totalSupply) internal pure returns (uint256) {
        unchecked {
            return type(uint96).max - _totalSupply;
        }
    }

So here there will be a problem if twabController.totalSupply(address(this)); will return a value higher than type(uint96).max, _twabSupplyLimit will always revert

But In TwabController.sol(OOS) there are no limitations while minting new tokens, so at some point there might be a case when the balance of a token on Vault will be higher than uint96Max.

Tools Used

Manual review

Recommended Mitigation Steps

Add a custom error, or take in case such a scenario

Assessed type

Math

c4-pre-sort commented 5 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as duplicate of #183

c4-judge commented 5 months ago

hansfriese marked the issue as unsatisfactory: Invalid