search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

Reserve can be withdrawn by malicious DrawManager #157

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L335-L342

Vulnerability details

Impact

Reserve can be withdrawn by DrawManager, or when DrawManager is hacked, attacker can withdraw it

Proof of Concept

Document says that "The reserve cannot be withdrawn by anyone; it can only be used to incentivize draws and supplement prize liquidity.". But in the code, function withdrawReserve is used to withdraw reserve, and it only can be called by DrawManager

function withdrawReserve(address _to, uint104 _amount) external onlyDrawManager {
//@audit reverse cant be withdrawed by anyone as document said ....
    if (_amount > _reserve) {
      revert InsufficientReserve(_amount, _reserve);
    }
    _reserve -= _amount;
    _transfer(_to, _amount);
    emit WithdrawReserve(_to, _amount);
}

Tools Used

Manual review

Recommended Mitigation Steps

remove withdrawReserve function or modify document

Assessed type

Other

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Insufficient quality