asselstine
commented
3 years ago The pool is designed to be fully upon when deployed; this is intentional.
Closed code423n4 closed 3 years ago
asselstine
commented
3 years ago The pool is designed to be fully upon when deployed; this is intentional.
dmvt
commented
3 years ago Closing per sponsor's comment
Handle
0xRajeev
Vulnerability details
Impact
The specified/presumed purpose of enforcing a liquidityCap on the prize pool funds is to implement a guarded launch approach where the funds managed by a project are limited at first to anticipate any potential exploits and minimize losses from them. This is expected to be gradually increased over time as the confidence in the deployed project increases with no exploits.
However, the liquidity cap in PrizePool is initialized to uint256 MAX with the expectation that it will be reduced by the owner later using setLiquidityCap(). For a safe guarded launch, it is a recommended best-practice to initialize this to a lower number at first and then increase it gradually.
Proof of Concept
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L196
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L233
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L977-L986
Tools Used
Manual Analysis
Recommended Mitigation Steps
Initialize liquidityCap to a reasonable low value and then expect the owner to increase it later based on a pre-defined timeline and associated conditions.