✨ New!✨  C4 Cosmos leagueRead more »

Contest ran 9 December 202112 December 2021

3 day contest

PoolTogether TwabRewards contest

A protocol for no loss prize savings on Ethereum

$25,000 USDC

Total Awards

PoolTogether Brand

PoolTogether TwabRewards contest details

Contest Scope

The focus of this contest is the TWAB Reward contract that will distribute rewards to depositors in the PoolTogether V4 prize pools.

Compared to a traditional staking contract where users need to deposit tokens in order to receive rewards, PoolTogether users will only need to hold V4 prize pool tickets in order to be eligible to claim rewards.

This is made possible thanks to the TWAB (Time-Weighted Average Balance) concept introduced in V4. For an overview of V4, wardens can consult the V4 Documentation.

Wardens should focus on this mechanism and search for mathematical or logic errors that would allow a malicious actor to claim more rewards than they are eligible for.

This contract also supports the creation of several promotions, otherwise known as rewards campaigns. Promotions run simultaneously and distribute different types of ERC20 tokens. A promotion runs for several epochs of a fixed time duration.

Rewards are calculated based on the average amount of tickets a user holds during the epoch duration. A user should only be able to claim rewards from epochs that are already over and he should only be able to claim these once.

Representatives from PoolTogether will be available in the Code4rena Discord to answer any questions during the contest period.

Areas of Concern

Contract Source Lines of Code External Calls Libraries
ITwabRewards.sol ~121 None OpenZeppelin IERC20
TwabRewards.sol ~378 Ticket
ERC20 token
OpenZeppelin SafeERC20

Risks

  • ability for a user to claim more rewards beyond their eligibility
  • potential loss of funds when creating, extending or cancelling a promotion

Links