search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

Griefing attack: Vault owner can prevert user claiming rewards #158

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L607-#L632

Vulnerability details

Impact

User only can claim reward when the reward is distributed by calling claimPrize() function.

function claimPrizes(
    uint8 _tier,
    address[] calldata _winners,
    uint32[][] calldata _prizeIndices,
    uint96 _feePerClaim,
    address _feeRecipient
) external returns (uint256) {
    if (msg.sender != _claimer) revert CallerNotClaimer(msg.sender, _claimer);
    uint totalPrizes;
    for (uint w = 0; w < _winners.length; w++) {
        uint prizeIndicesLength = _prizeIndices[w].length;
        for (uint p = 0; p < prizeIndicesLength; p++) {
            totalPrizes += _claimPrize(
                _winners[w],
                _tier,
                _prizeIndices[w][p],
                _feePerClaim,
                _feeRecipient
            );
        }
    }
    return totalPrizes;
}

This function is only can called by _claimer role:

if (msg.sender != _claimer) revert CallerNotClaimer(msg.sender, _claimer);

If vault owner set themselves as claimer or set claimer is his/her controlled address, he simply just not execute function, which make users cant claim rewards.

Proof of Concept

As described

Tools Used

Manual review

Recommended Mitigation Steps

Consider removing claimer role and make other mechanism for user claim reward right after it is distributed

Assessed type

Other

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #324

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory