So the attack scenario at here is: With each winner in the vault, malicious Claimer will calcualte prize depend on their tier, and set _feePerClaim equal to prize, along with _feeRecipient is address he/she control. Repeating that process, all reward will be stolen.
Impact
All reward can be stolen by malicious Claimer.
Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Remove Claimer role. create new mechanism that automatically transfer reward for user, along with constant fee
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L607-L629 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1043-L1078 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L407-L476
Vulnerability details
When Claimer claim prize, claimer can set any fee and fee recipient address he/she want.
There is only limitation of fee is prizeSize of the tier, which is not effect to attack
And fee is directly transfered to feeRecipient address, which is controled by Receiver. Rest will be transfered to winner
So the attack scenario at here is: With each winner in the vault, malicious Claimer will calcualte prize depend on their tier, and set _feePerClaim equal to prize, along with _feeRecipient is address he/she control. Repeating that process, all reward will be stolen.
Impact
All reward can be stolen by malicious Claimer.
Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Remove Claimer role. create new mechanism that automatically transfer reward for user, along with constant fee
Assessed type
Other