This proposal will patch a non-critical exploit that was discovered during the Code 423n4 audit.
Note: the Builder has already been updated with the fix. Future pools are safe.
The current prize pools are based on older versions of the PoolTogether contracts. These contracts contain a bug that allows users to bypass the early exit fee. PT Inc. has developed a mitigation and needs to install it on the governance-managed pools in order to prevent abuse.
Prize pools have a
withdrawWithTimelock feature that allows users to withdraw their funds without paying the exit fee. They can trigger
withdrawWithTimelock at any time and can completely withdraw their funds when the unlock timestamp elapses.
withdrawWithTimelock feature has a bug, however: when a user withdraws it replaces the current unlock timestamp, but increases the total future withdrawal amount. This means that the previous unlock timestamp is always replaced by the newest withdrawal. The unlock timestamp is computed based on the requested withdrawal amount rather than the total amount to be withdrawn, so if a user requests a withdrawal of zero then they don’t need to wait at all!
We will deploy a MultiTokenListener for each pool. Each listener will include the pool’s original token faucet(s), as well as a special patch that prevents abuse of the timelock mechanism. The PTIP will replace the token faucet for each pool (the current token listener) with their corresponding MultiTokenListeners.
To exploit the system the user must submit two
withdrawWithTimelock requests. This patch will revert a
withdrawWithTimelock request if one is already pending, thereby preventing the unlock timestamp overwrite.
We would like to move quickly on this PTIP. Ideally it will be folded into PTIP-27 Part II.
The PTIP will apply the mitigation to the following pools:
More details to follow.
- Currently polling in the forums.
- Yes let’s do it as part of PTIP-27 Part II
- No, let’s not patch the bug