search

sherlock-audit / 2024-05-pooltogether-judging

13 stars 8 forks source link

MrCrowNFT - [M-1] Users can deposit ERC 20 not accounted by any `LiquidationPair` and potentially freezing the deposits to the `PrizePool` #160

Closed sherlock-admin4 closed 5 months ago

sherlock-admin4 commented 5 months ago

MrCrowNFT

medium

[M-1] Users can deposit ERC 20 not accounted by any LiquidationPair and potentially freezing the deposits to the PrizePool

Summary

An ERC20's yield can not be liquidated if there is no LiquidationPair.

Vulnerability Detail

A user can deposit into the vault an ERC20 to be deposited into an ERC4626 to generate yield, such yield is to be liquidated by a LiquidationPair, but if no liquidator includes said ERC20 as __tokenIn, it's yield, can not be liquidated, and therefor it can not be deposited into PrizePool.sol, worst case scenario, the share _mintLimit can be reached with this unliquidatable token, meaning that the vault can be frozen if the user refuse to withdraw.

Impact

Medium

Code Snippet

https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L963-L998 https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-tpda-liquidator/src/TpdaLiquidationPairFactory.sol#L40-L79

Tool used

Manual Review

Recommendation

Add a check on the deposit function to prevent deposit of an unliquidatable token.

nevillehuang commented 5 months ago

Invalid, the vault owner is trusted to ensure the yield vault and yield liquidations are properly setup