Open sherlock-admin3 opened 3 months ago
The blast docs here state that:
Smart contract accounts have three Yield Modes for their rebasing mode:
- Void (DEFAULT): ETH balance never changes; no yield is earned
- Automatic: native ETH balance rebases (increasing only)
- Claimable: ETH balance never changes; yield accumulates separately
The docs say the default for EOAs is rebasing, but the default for the contracts like the prize pool will be void.
@trmid that's not true that's the case for native ETH not WETH here a quote from docs in case of WETH:
Similar to ETH, WETH and USDB on Blast is also rebasing and follows the same yield mode configurations. However, unlike ETH where contracts have Disabled yield by default, WETH and USDB accounts have Automatic yield by default for both EOAs and smart contracts
@elhajin You are right based on this link here. Seems like this is a valid issue.
The protocol team fixed this issue in the following PRs/commits: https://github.com/GenerationSoftware/pt-v5-prize-pool/pull/114
Fixed Now WETH is configured claimable and is donated
The Lead Senior Watson signed off on the fix.
elhaj
medium
Unfair Manipulation of Winning Chances Due to Stolen Yield on
Blast
Summary
The
PoolTogether
protocol on Blast will useWETH
as it's prize token as mentioned by sponsor, which generates yield over time. This yield can be stolen and used to manipulate the vaults' winning chances unfairly. By contributing the stolen yield to their own vault, users can inflate their vault's portion, increasing their chances of winning prizes while decreasing the chances for other legitimate users. This undermines the fairness of the prize distribution.Vulnerability Detail
The
PoolTogether
protocol will be deployed on Blast, and as the sponsor mentioned,WETH
will be the prize token.WETH
on Blast is a rebasing token that automatically generates yield over time.WETH
holders have three Yield Modes for rebasing:Void
,Automatic
, andClaimable
. The Default mode isAutomatic
, which means the balance will increase over time by the yield generated.The [prizePool]() will hold
WETH
as the prize token and will generate yield over time. However, this yield can be stolen by anyone, as they can contribute it to their own vault by calling thecontributePrizeTokens()
function, passing their vault and the amount of yield generated.