Some tokens (eg. AMPL), known as rebasing tokens, have dynamic balances. This means that the token balance of an address could increase or decrease over time.
However, the PrizeVault contract is unable to handle such changes in token balance. When users call PrizeVault.deposit(), the number of shares they will have will equal the deposited asset amount. Upon eventually redeeming their shares by calling PrizeVault.redeem(), they will receive the same amount of token or less than what they have deposited.
The vault can not return more tokens than what has been deposited by the user.
In the case of increasing token balance, users won't receive the increased amount.
In the case of a decreased token balance, PrizeVault contract will return decreased assets to every user, and every user will get the same percentage of decrease, no matter the time of deposition.
Therefore, users will lose funds if they deposit into a PrizeVault with a rebasing token as the asset.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider implementing a token blacklist in the protocol, and adding all rebasing tokens to this blacklist.
Additionally, consider documenting that the protocol is not compatible with rebasing tokens.
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L355-L366
Vulnerability details
Impact
Some tokens (eg. AMPL), known as rebasing tokens, have dynamic balances. This means that the token balance of an address could increase or decrease over time.
However, the
PrizeVault
contract is unable to handle such changes in token balance. When users callPrizeVault.deposit()
, the number of shares they will have will equal the deposited asset amount. Upon eventually redeeming their shares by callingPrizeVault.redeem()
, they will receive the same amount of token or less than what they have deposited. The vault can not return more tokens than what has been deposited by the user. In the case of increasing token balance, users won't receive the increased amount. In the case of a decreased token balance,PrizeVault
contract will return decreased assets to every user, and every user will get the same percentage of decrease, no matter the time of deposition.Therefore, users will lose funds if they deposit into a
PrizeVault
with a rebasing token as the asset.Tools Used
Manual Review
Recommended Mitigation Steps
Consider implementing a token blacklist in the protocol, and adding all rebasing tokens to this blacklist.
Additionally, consider documenting that the protocol is not compatible with rebasing tokens.
Assessed type
ERC20