Closed code423n4 closed 3 years ago
We made the function public because there was no need for restriction. Hand-waving saying "It is not clear if this affects any accounting or causes griefing of any form." is just grasping at straws.
Closing because there is no evidence of an actual issue caused by this being open access
Handle
0xRajeev
Vulnerability details
Impact
There is no apparent reason for captureAwardBalance() function to be externally callable by anyone other than prizeStrategy.
Impact: It is not clear if this affects any accounting or causes griefing of any form.
It is safer to limit access to only the prizeStrategy similar to the award() function.
Proof of Concept
https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L447-L450
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add onlyPrizeStrategy modifier to captureAwardBalance() or document why/when this should be externally callable.