New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QA report #1
Comments
I'm not convinced this should be rated as |
I agree. Per Brendan comment, we are not going to implement this suggestion since only users interacting directly with the contract could make this mistake. So I've added the |
As per the above comment, I will mark this as |
Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency. The original title, for the record, was "No check that _to address is not the contract itself." |
Lines of code
https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L188
https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L204
Vulnerability details
Impact
In TWABDelegator.sol the stake() and unstake() functions handle the minting and burning of tickets to and from the caller. The _to address argument on both is the address to which the stake will be attributed but both functions do not make sure that the _to argument is not the TWABDelegator.sol contract itself. These checks should be added to avoid leaving open areas in which the protocol may be manipulated.
Proof of Concept
https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L188
https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L204
Tools Used
Manual code review
Recommended Mitigation Steps
Add to stake() and unstake() functions:
require(_to != address(this), "Cannot be TwabDelegator");
The text was updated successfully, but these errors were encountered: