Closed sherlock-admin2 closed 2 months ago
low severity/invalid due to user error, they are expected to only provide allowance based on how much to deposit. Additionally, there is always the alternative of deposit
that can be used instead/reapproving zero first
0x73696d616f
medium
PrizeVault::depositWithPermit()
still allows griefing attacks, despite the attempts of the code and commentsSummary
PrizeVault::depositWithPermit()
only callsasset.permit()
if the allowance is not the same as the assets to deposit, which will revert if the allowance was non null prior the permit call.Vulnerability Detail
Using permits when depositing is generally vulnerable to DoS by frontrunning and using the signature standalone in the asset contract before it is used in the intended function. The code is aware of this issue and implements some measures to mitigate it in
PrizeVault::depositWithPermit()
,However, this mitigation is incomplete as it will still revert and be DoSed if the
owner
had given the protocol allowance before the permit call. Consider the following scenario, in which a deposit with permit call will be DoSed.Impact
DoSed
PrizeVault::depositWithPermit()
despite the attempted mitigations.Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L545-L547
Tool used
Manual Review
Vscode
Recommendation
Permit should only be called if the allowance is smaller than
assets
,