Lines of code

Vulnerability details

Impact

An attacker can drain all staked tickets.

Proof of Concept

In the withdrawDelegationToStake function the user can transfer from one of his delegations to the TWABDelegator contract and receive vault tokens he can then unstake to get his tickets back.

withrawDelegationToStake uses the _transfer function to transfer from the delegation and never checks the delegation has enough balance
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L360&gt;

The _transfer function then calls the _transferCall function
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L572&gt;

Finally _transferCall calls the executeCall function with the transfer selector (instead of safeTransfer):
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L537&gt;

This means the transaction won’t revert if the delegation doesn’t have enough tokens.

The attacker can call the function with an amount greater than the balance of the delegation. The transfer (which is a standard ERC20 transfer in the ticket token) will return false but won’t revert and the staking tokens will still be minted.

The attacker can then unstake the minted tokens and receive tickets. This can be done to drain all staked tickets.

Recommended Mitigation Steps

Use safeTransfer.

The text was updated successfully, but these errors were encountered:

All reactions