asselstine
commented
3 years ago Mitigation:
If a user's timelock balance is non-zero, the prize strategy rejects the ticket burn.
Open code423n4 opened 3 years ago
asselstine
commented
3 years ago Mitigation:
If a user's timelock balance is non-zero, the prize strategy rejects the ticket burn.
Handle
cmichel
Vulnerability details
One can withdraw the entire
PrizePooldeposit by circumventing the timelock. Assume the user has no credits for ease of computation:withdrawWithTimelockFrom(user, amount=userBalance)with their entire balance. This "mints" an equivalentamountoftimelockand resets_unlockTimestamps[user] = timestamp = blockTime + lockDuration.withdrawWithTimelockFrom(user, amount=0)again but this time withdrawing0amount. This will return alockDurationof0and thusunlockTimestamp = blockTime. The inner_mintTimelocknow resets_unlockTimestamps[user] = unlockTimestampif (timestamp <= _currentTime())is true, the full users amount is now transferred out to the user in the_sweepTimelockBalancescall.Impact
Users don't need to wait for their deposit to contribute their fair share to the prize pool. They can join before the awards and leave right after without a penalty which leads to significant issues for the protocol. It's the superior strategy but it leads to no investments in the strategy to earn the actual interest.
Recommended Mitigation Steps
The unlock timestamp should be increased by duration each time, instead of being reset to the duration.