Closed code423n4 closed 1 year ago
asselstine marked the issue as sponsor disputed
The gas limit itself is the cap on how many prizes can be claimed at once. The claimers will know the gas limit and will work within it.
Additionally, adding an arbitrary limit would not adapt to gas limit increases.
The caller controls the length of the array so there is no issue.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-claimer/blob/57a381aef690a27c9198f4340747155a71cae753/src/Claimer.sol#L80 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L618-L629 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1058-L1065 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L473
Vulnerability details
Impact
Within the Vault#
claimPrizes()
, there is no limitation how many prize indices of each winner stored in the_prizeIndices
storage can be claimed in a single transaction.If some winner has too many prize indices of the winner in the
_prizeIndices
storage, the transaction will be reverted due to reaching the gas limit in the for-loop in the Vault#claimPrizes()
.Proof of Concept
When a claimer claim a prize on behalf of a user, the Claimer#
claimPrizes()
would be called by a claimer. Within the Claimer#claimPrizes()
, the Vault#claimPrizes()
would be called like this: https://github.com/GenerationSoftware/pt-v5-claimer/blob/57a381aef690a27c9198f4340747155a71cae753/src/Claimer.sol#L80Within the Vault#
claimPrizes()
, the Vault#_claimPrize()
would be called for every single winner (_winners[w]
) and their prize indice (_prizeIndices[w][p]
) in the for-loop like this: https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L618-L629Within the Vault#
_claimPrize()
, the PrizePool#claimPrize()
would be called like this: https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1058-L1065Within the PrizePool#
claimPrize()
, theamount
of Prize Token would be transferred via the_transfer()
like this: https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L473However, within the Vault#
claimPrizes()
, there is no limitation how many prize indices of each winner stored in the_prizeIndices
storage can be claimed in a single transaction. If some winner has too many prize indices of the winner in the_prizeIndices
storage, the transaction will be reverted due to reaching the gas limit in the for-loop in the Vault#claimPrizes()
.Tools Used
Recommended Mitigation Steps
Within the Vault#
claimPrizes()
, consider adding a limitation (cap) how many prize indices of each winner stored in the_prizeIndices
storage can be claimed in a single transaction.Assessed type
DoS