Closed sherlock-admin2 closed 3 months ago
1 comment(s) were left on this issue during the judging contest.
infect3d commented:
not an issue as the prizeVault owner verify the liquidation pair before setting it
Invalid, sponsor comments:
- agree invalid since bots are supposed to verify the tokenOut and tokenIn
- these contracts are multipurpose and should not be restricted with the prize pool or vault interface
Laksmana
medium
Missing Validation of TpdaLiquidationPair
Summary
TpdaLiquidationPairFactory#createPair
didn't check the_tokenIn
and_tokenOut
, as a resultTpdaLiquidationPair
cannot be used.Vulnerability Detail
The function
TpdaLiquidationPair Factory#createPair
is a function to create a TpdaLiquidationPair contract, but unfortunately there is no check fortokenIn
.Q: Why should there be a
_tokenIn
check ?A: Look at this
TpdaLiquidationPair#swapExactAmountOut
function.that function call
source.transferTokensOut
andsource.verifyTokensIn
which is thePrizeVault#transferTokensOut
andPrizeVault#verifyTokensIn
but look this.See If address
_tokenOut
is not equal to address_asset
or_source
it will revert. alsoif (_tokenIn != _prizeToken)
, so whenverifyTokensIn
is triggred but the address of_tokenIn
is not equal to address_prizeToken
it will revert.As a result,
TpdaLiquidationPair
cannot be used.Impact
TpdaLiquidationPair
is created and address_tokenOut
is not equal to address_asset
or_source
it will succeed, butTpdaLiquidationPair
will be a useless contract because it cannot callswapExactAmountOut
. ORTpdaLiquidationPair
is created and_tokenIn
is not equal toprizeToken
it will succeed, butTpdaLiquidationPair
will be a useless contract because it cannot callswapExactAmountOut
.POC
PrizeVaultFactory.t.sol
forge test -vvvv --match-test test_TpdaLiquidationPair_ErrorOf_tokenOut
forge test -vvvv --match-test test_TpdaLiquidationPair_ErrorOf_tokenIn
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-tpda-liquidator/src/TpdaLiquidationPairFactory.sol#L48-L63 https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-tpda-liquidator/src/TpdaLiquidationPair.sol#L162 https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-vault/src/PrizeVault.sol#L767
Tool used
Manual Review
Recommendation