Randomness Selection Vulnerability in Pool #2 – PoolTogether
Summary:
We were recently made aware of a vulnerability with randomness selection in the currently running pool #2. This was brought to our attention through responsible disclosure by @epheph and @MicahZoltu of @Keydonix as they reviewed our open source code. We are grateful for their help and have paid them a 1,000 Dai bug bounty.
Details of the vulnerability are below, no action is needed by any participants in the current pool.
Randomness Vulnerability:
PoolTogether currently uses a combination of a block hash and a secret to generate a random number to pick a winner of a pool. However, a given blockhash is only available to smart contracts 256 blocks after being mined (approximately equalling 1 hour). Therefore 256 blocks after the pool ends, the hash returned by `blockhash(endBlockNumber)` will be `0`, thus changing the random number result. The current pool contract does not store the winning address but it is evaluated with each withdrawal. This has three implications:
1). When pool #2 ends a winner will be derived from both the secret and the blockhash, before 256 blocks are mined, this winner will be able to claim the prize.
2). After 256 blocks have been mined, the winner will change because the randomness will be generated only from the secret. This second winner will then be able to withdraw the prize and the first winner will no longer be able to.
3). If the first winner withdraws the prize before 256 blocks had been mined and the second winner also withdraws their prize, then the total pool funds would be short the prize amount.
Remediation:
Pool #2 will continue to run for its planned duration. Upon completion, if the first winner does not claim the prize within 256 blocks we will send the prize money from our Aragon DAO. If the first and second winner both claim the prize then the pool contract will be funded with the sufficient amount of Dai to ensure everyone can successfully withdraw their deposit.
In future pools, the winner will be stored in the contract to prevent this vulnerability.
Future Disclosures
PoolTogether is committed to securing user’s funds and earning user’s trust. We apologize for this error and again thank Keydonix for practicing responsible disclosure. Going forward, we will continue to provide bug bounties for responsibly disclosed and verified vulnerabilities. We will provide 250 Dai for low severity, 1,000 Dai for medium severity, and 1,500 Dai for high severity vulnerabilities as defined by the Smart Contract Security Alliance here. All disclosures should begin with an email to hello@pooltogether.us and will receive a response within 24 hours.
Published at Tue, 02 Jul 2019 21:48:01 +0000
