Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2021-12-POOLTOGETHER-FINDINGS-ISSUES-141
HistoryDec 12, 2021 - 12:00 a.m.

TwabRewards: fee on transfer token as promotion token will block at least one epoch reward claim

2021-12-1200:00:00
Code4rena
github.com
4
JSON

Handle

GiveMeTestEther

Vulnerability details

Impact

If the promotion token applies transfer fees, the total amount to claim will be less than “_tokensPerEpoch * _numberOfEpochs” ( bcs a part of this amount is the fee => (funds + fee), but only the “funds” can be withdrawn) but the calculation in “_calculateRewardAmount” is based on “_promotion.tokensPerEpoch” . This implies that if the rewards of a user sum up to the “remaining funds +fee” of the promotions tokens that the TwabRewards contract holds (the user is the last one claiming the rewards), the user won’t be able to withdraw rewards for at least one epoch, bcs the safeTranfser() is called with an amount (includes the fee) higher than the contract holds.

This case happens most likely after the promotion has ended.

There is no way to withdraw those funds and they are locked forever in this contract (loss of funds).

Proof of Concept

Assumptions for a simple example:

  • There is only one promotion with this promotion token (if there are multiple)
  • There is only one user that holds all the prize pool tickets, so only this user can claim any rewards.
  • User holds the same amount of tickets over a period of time such that TWAB becomes a constant function
  • The rewards creator sets a promotion token with a fee
  • Only have one epoch (_numberOfEpochs = 1)

In the “createPromotion()” the TwabRewards contract will receive “_tokensPerEpoch - fee” and not “_tokensPerEpoch”.
If the user wants to claim the rewards after _epochEndTimestamp has passed the “_calculateRewardAmount()” will return _promotion.tokensPerEpoch. Therefore the “_rewardsAmount” will be equal to “_promotion.tokensPerEpoch.”.

The “claimRewards()” will try to “_promotion.token.safeTransfer(_user, _rewardsAmount);” but the contracts has only “_tokensPerEpoch - fee” of the promotion tokens and the safeTransfer will fail. User won’t be ever able to claim the rewards.

<https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L162&gt;
<https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L289&gt;

Tools Used

Manual Analysis

Recommended Mitigation Steps

  • whitelist tokens
  • or some complicated bookkeeping that will become very gas inefficient

The text was updated successfully, but these errors were encountered:

All reactions

JSON