Reserve can be withdrawn by DrawManager, or when DrawManager is hacked, attacker can withdraw it
Proof of Concept
Document says that "The reserve cannot be withdrawn by anyone; it can only be used to incentivize draws and supplement prize liquidity.". But in the code, function withdrawReserve is used to withdraw reserve, and it only can be called by DrawManager
function withdrawReserve(address _to, uint104 _amount) external onlyDrawManager {
//@audit reverse cant be withdrawed by anyone as document said ....
if (_amount > _reserve) {
revert InsufficientReserve(_amount, _reserve);
}
_reserve -= _amount;
_transfer(_to, _amount);
emit WithdrawReserve(_to, _amount);
}
Tools Used
Manual review
Recommended Mitigation Steps
remove withdrawReserve function or modify document
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L335-L342
Vulnerability details
Impact
Reserve can be withdrawn by DrawManager, or when DrawManager is hacked, attacker can withdraw it
Proof of Concept
Document says that "The reserve cannot be withdrawn by anyone; it can only be used to incentivize draws and supplement prize liquidity.". But in the code, function withdrawReserve is used to withdraw reserve, and it only can be called by DrawManager
Tools Used
Manual review
Recommended Mitigation Steps
remove withdrawReserve function or modify document
Assessed type
Other