Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA report #1

Open
code423n4 opened this issue Feb 22, 2022 · 5 comments
Open

QA report #1

code423n4 opened this issue Feb 22, 2022 · 5 comments
Assignees
@PierrickGT
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L188
https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L204

Vulnerability details

Impact

In TWABDelegator.sol the stake() and unstake() functions handle the minting and burning of tickets to and from the caller. The _to address argument on both is the address to which the stake will be attributed but both functions do not make sure that the _to argument is not the TWABDelegator.sol contract itself. These checks should be added to avoid leaving open areas in which the protocol may be manipulated.

Proof of Concept

https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L188

https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L204

Tools Used

Manual code review

Recommended Mitigation Steps

Add to stake() and unstake() functions:
require(_to != address(this), "Cannot be TwabDelegator");
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 22, 2022
code423n4 added a commit that referenced this issue Feb 22, 2022
@code423n4
jayjonah8 issue #1
3738eca
@code423n4 code423n4 mentioned this issue Feb 24, 2022
Open
@PierrickGT PierrickGT mentioned this issue Mar 2, 2022
Closed
@PierrickGT PierrickGT self-assigned this Mar 2, 2022
@PierrickGT PierrickGT added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Mar 2, 2022
@PierrickGT
Copy link
Member

PR: pooltogether/v4-twab-delegator#27

@0xleastwood
Copy link
Collaborator

0xleastwood commented Mar 7, 2022
edited

I'm not convinced this should be rated as medium severity. The warden has not justified why this might cause the protocol issues. I think this could be better rated as low or non-critical. @PierrickGT

@PierrickGT
Copy link
Member

I'm not convinced this should be rated as medium severity. The warden has not justified why this might cause the protocol issues. I think this could be better rated as low or non-critical. @PierrickGT

I agree. Per Brendan comment, we are not going to implement this suggestion since only users interacting directly with the contract could make this mistake. So I've added the sponsor acknowledged badge.
As for the severity, it would result in a loss of fund if the user was to pass the contract address. But since this scenario is pretty unlikely, we could rate is as low or dispute the issue entirely.

@PierrickGT PierrickGT added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Mar 8, 2022
@0xleastwood
Copy link
Collaborator

As per the above comment, I will mark this as low and have it be part of the QA report.

@0xleastwood 0xleastwood added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 9, 2022
@CloudEllie
Copy link

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.

The original title, for the record, was "No check that _to address is not the contract itself."

@CloudEllie CloudEllie changed the title No check that _to address is not the contract itself QA report Mar 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PierrickGT PierrickGT

Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PierrickGT @0xleastwood @code423n4 @CloudEllie