This is due to setDrawManager() function having no access control implemented
function setDrawManager(address _drawManager) external {
if (drawManager != address(0)) {
revert DrawManagerAlreadySet();
}
drawManager = _drawManager;
emit DrawManagerSet(_drawManager);
}
An attacker can override the address set in the constructor as drawManager to his own address via the setDrawManager() function that has no access control and bypass the access control on withdrawReserve() function. Thereby draining the funds from the reserve.
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L335-L342
Vulnerability details
Impact
Attacker can drain tokens from the reserve.
Proof of Concept
This is due to
setDrawManager()
function having no access control implementedAn attacker can override the address set in the constructor as drawManager to his own address via the setDrawManager() function that has no access control and bypass the access control on withdrawReserve() function. Thereby draining the funds from the reserve.
Tools Used
Manual Review
Recommended Mitigation Steps
Add access control to setDrawManager() function.
Assessed type
Access Control