- $18,750 USDC main award pot
- $1,250 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts December 9, 2021 00:00 UTC
- Ends December 12, 2021 23:59 UTC
The focus of this contest is the TWAB Reward contract that will distribute rewards to depositors in the PoolTogether V4 prize pools.
Compared to a traditional staking contract where users need to deposit tokens in order to receive rewards, PoolTogether users will only need to hold V4 prize pool tickets in order to be eligible to claim rewards.
This is made possible thanks to the TWAB (Time-Weighted Average Balance) concept introduced in V4. For an overview of V4, wardens can consult the V4 Documentation.
Wardens should focus on this mechanism and search for mathematical or logic errors that would allow a malicious actor to claim more rewards than they are eligible for.
This contract also supports the creation of several promotions, otherwise known as rewards campaigns. Promotions run simultaneously and distribute different types of ERC20 tokens. A promotion runs for several epochs of a fixed time duration.
Rewards are calculated based on the average amount of tickets a user holds during the epoch duration. A user should only be able to claim rewards from epochs that are already over and he should only be able to claim these once.
Representatives from PoolTogether will be available in the Code4rena Discord to answer any questions during the contest period.
| Contract | Source Lines of Code | External Calls | Libraries |
|---|---|---|---|
| ITwabRewards.sol | ~121 | None | OpenZeppelin IERC20 |
| TwabRewards.sol | ~378 | Ticket ERC20 token |
OpenZeppelin SafeERC20 |
- ability for a user to claim more rewards beyond their eligibility
- potential loss of funds when creating, extending or cancelling a promotion