Closed code423n4 closed 1 year ago
asselstine requested judge review
Picodes marked the issue as primary issue
Picodes marked the issue as selected for report
Picodes marked the issue as satisfactory
Picodes marked issue #332 as primary and marked this issue as a duplicate of 332
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L781
Vulnerability details
Impact
_computeNextNumberOfTiers()
Logic problem that may cause_claimExpansionThreshold
to invalid.Proof of Concept
To add
tiers
two conditions need to be met:The current implementation code is as follows:
According to the above implementation Assumption: current numberOfTiers = 3 if a claim canary tier has been executed,
claimPrize(_tier = 2)
After that become: canaryClaimCount = 1 largestTierClaimed = 2 _nextNumberOfTiers = largestTierClaimed + 2 = 4According to the above implementation, even if the condition in
if (_claimExpansionThreshold)
is not satisfied, it will stillreturn _nextNumberOfTiers
, i.e.:return 4;
.So if someone maliciously executes
claimPrize(_tier = canary tier)
one time every draw, regardless of whether_claimExpansionThreshold
is met, then the number of tiers will be increased by 1 every draw. The_claimExpansionThreshold
limit is invalidated.Tools Used
Recommended Mitigation Steps
Assessed type
Context