An attacker can drain all staked tickets.
In the withdrawDelegationToStake function the user can transfer from one of his delegations to the TWABDelegator contract and receive vault tokens he can then unstake to get his tickets back.
withrawDelegationToStake uses the _transfer function to transfer from the delegation and never checks the delegation has enough balance
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L360>
The _transfer function then calls the _transferCall function
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L572>
Finally _transferCall calls the executeCall function with the transfer selector (instead of safeTransfer):
<https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L537>
This means the transaction wonβt revert if the delegation doesnβt have enough tokens.
The attacker can call the function with an amount greater than the balance of the delegation. The transfer (which is a standard ERC20 transfer in the ticket token) will return false but wonβt revert and the staking tokens will still be minted.
The attacker can then unstake the minted tokens and receive tickets. This can be done to drain all staked tickets.
Use safeTransfer.
The text was updated successfully, but these errors were encountered:
All reactions