c4-pre-sort
commented
5 months ago raymondfam marked the issue as insufficient quality report
Closed c4-bot-8 closed 5 months ago
c4-pre-sort
commented
5 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
5 months ago raymondfam marked the issue as duplicate of #318
c4-judge
commented
5 months ago hansfriese marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L355-L366
Vulnerability details
Impact
Some tokens (eg. AMPL), known as rebasing tokens, have dynamic balances. This means that the token balance of an address could increase or decrease over time.
However, the
PrizeVaultcontract is unable to handle such changes in token balance. When users callPrizeVault.deposit(), the number of shares they will have will equal the deposited asset amount. Upon eventually redeeming their shares by callingPrizeVault.redeem(), they will receive the same amount of token or less than what they have deposited. The vault can not return more tokens than what has been deposited by the user. In the case of increasing token balance, users won't receive the increased amount. In the case of a decreased token balance,PrizeVaultcontract will return decreased assets to every user, and every user will get the same percentage of decrease, no matter the time of deposition.Therefore, users will lose funds if they deposit into a
PrizeVaultwith a rebasing token as the asset.Tools Used
Manual Review
Recommended Mitigation Steps
Consider implementing a token blacklist in the protocol, and adding all rebasing tokens to this blacklist.
Additionally, consider documenting that the protocol is not compatible with rebasing tokens.
Assessed type
ERC20