search

code-423n4 / 2021-06-pooltogether-findings

0 stars 0 forks source link

captureAwardBalance() may be called by anyone #52

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

There is no apparent reason for captureAwardBalance() function to be externally callable by anyone other than prizeStrategy.

Impact: It is not clear if this affects any accounting or causes griefing of any form.

It is safer to limit access to only the prizeStrategy similar to the award() function.

Proof of Concept

https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L447-L450

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add onlyPrizeStrategy modifier to captureAwardBalance() or document why/when this should be externally callable.

asselstine commented 3 years ago

We made the function public because there was no need for restriction. Hand-waving saying "It is not clear if this affects any accounting or causes griefing of any form." is just grasping at straws.

dmvt commented 3 years ago

Closing because there is no evidence of an actual issue caused by this being open access