Closed sherlock-admin4 closed 2 months ago
1 comment(s) were left on this issue during the judging contest.
infect3d commented:
low__ high decimal tokens are not common at all and all have low liquidity
Invalid, this tokens are considered "weird tokens" that are not explicitly mentioned in contest details
0x73696d616f
medium
The accumulated balance in the
TwabController
will overflow for tokens with a bigger number of decimals, leading to lost fundsSummary
The accumulated balance in the observations of the
TwabController
will overflow given enough time for tokens with enough decimal places, such as $ERBB, which has 27.Vulnerability Detail
The observations in the
TwabController
are stored asuint128
, as can be seen here. Thus, the maximum value is 2^128 - 1 ≃ 3.4e38.Considering the $ERBB token, which has 27 decimals and a price of 1.31 USD at the time of writing, if 1 year passes, the remaining precision for the token balance is
(2^128 - 1) / (365*24*3600) / 1e27 = 10800
tokens, or approximately 14148 USD at a price of 1.31.Thus, with tokens such as $ERBB, the accumulated balance will overflow whenever users try to withdraw. It will not be possible to do anything as the accumulated balance is extrapolated to the current time, which means that it may not overflow when minting, but then overflow on burns due to the balance accruing over time.
As PrizeVaults can be built by anyone there is not any restriction on the tokens in scope and it is expected that users create vaults with tokens with more decimals than 18.
Impact
DoSed withdrawals and stuck funds due to the accumulated balance overflow.
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-twab-controller/src/libraries/ObservationLib.sol#L30 https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-twab-controller/src/libraries/TwabLib.sol#L412
Tool used
Manual Review
Vscode
Recommendation
The accumulated balance should be stored in a variable bigger than
uint128
.Duplicate of #104