search

code-423n4 / 2021-12-pooltogether-findings

0 stars 0 forks source link

extendPromotion is callable by anyone without protecting extending users #132

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

0x0x0x

Vulnerability details

extendPromotion is callable by anyone. If someone decides to extend a promotion created by another user, promotion creator still controls the promotion fully and cancel the promotion to steal added funds.

Proof of concept

1- User A creates a promotion

2- User A motivates User B to extend the promotion by calling extendPromotion

3- User A cancels the promotion and steals the funds added by User B

Mitigation steps

There are two alternatives, i recommend:

1- Let only promotion creator call extendPromotion

2- Keep track of who funded which timeline and update the cancel logic according to that. Also it is a design choice, if also users extended the promotion can only cancel their part of the promotion. (So remaining time of the cancelling person can be removed from _numberOfEpochs)

PierrickGT commented 2 years ago

Duplicate of https://github.com/code-423n4/2021-12-pooltogether-findings/issues/126

PierrickGT commented 2 years ago

Same remark than for the other issue, should be labelled as 1 (Low Risk) and not 3 (High Risk).