Vulnerability Disclosure: Twab Rewards

On May 30 a security researcher, Riley Holterhus, privately disclosed a vulnerability in the Twab Rewards contract. The next morning we were able to reproduce the exploit, and have a mitigation in place. We are in the process of deploying new contracts.

The affected contracts are:

TwabRewards on Ethereum
TwabRewards on Polygon
TwabRewards on Avalance

Fortunately, the Twab Rewards contracts are not currently being used by the protocol and do not hold significant funds. However, the attack that Riley discovered would have allowed the attacker to drain the funds from the contract. This is a high-risk exploit as a significant amount funds could have been lost.

The Twab Rewards contract was audited by C4. However, the bug was introduced in the mitigations. Too much scope was changed in the mitigation without enough oversight. More care should have been taken.

Audits are never a silver bullet, so we must strive to have on-going efforts to strengthen security. PoolTogether has an existing Security Bounty framework. While we haven’t formally defined who in the DAO handles security, that responsibility tacitly falls on myself and the protocol developers. These bounties should be formalized as being part of the PoolTogether Bounties program, with myself and others being appointed as the reviewers.

Being a high-risk bounty, the security researcher is entitled to a $25,000 USD payout. I will be applying for the bounty payout through the grants program on behalf of the researcher. In the future, we should expand the bounties budget so that it can cover these costs itself.


Congrats Riley Holterhus for bringing this forward and collecting a bounty!

and for anyone else curious, the PT bounty program is on Immunefi @ PoolTogether Bug Bounties | Immunefi