Closed code423n4 closed 2 years ago
gzeon
When owner call cancelPromotion, the contract
cancelPromotion
If there are token left for previous epochs, they will be stuck in the contract as the promotion struct is gone.
https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L119
Set numberOfEpochs instead, i.e. _promotions[_promotionId].numberOfEpochs = _getCurrentEpochId(_promotion)+1;
_promotions[_promotionId].numberOfEpochs = _getCurrentEpochId(_promotion)+1;
Duplicate of https://github.com/code-423n4/2021-12-pooltogether-findings/issues/23
PierrickGT
commented
2 years ago PierrickGT
commented
2 years ago
Handle
gzeon
Vulnerability details
Impact
When owner call
cancelPromotion, the contractIf there are token left for previous epochs, they will be stuck in the contract as the promotion struct is gone.
Proof of Concept
https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L119
Recommended Mitigation Steps
Set numberOfEpochs instead, i.e.
_promotions[_promotionId].numberOfEpochs = _getCurrentEpochId(_promotion)+1;