The problem is that all the transaction gas is sent to those external calls. Since there is not gas limit in each external call, the Vault._claimPrize() function may be reverted by out of gas error OR the claimer may waste more gas than it should be for the claim process.
Winners maliciously/accidentally can setup hooks that consume all the available gas or make claimer to waste more gas than it should be.
Proof of Concept
The 1053 and 1068 code lines call the winner's contract without any limit of the gas sent to those external calls.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L607 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1043
Vulnerability details
Impact
The winners have an option to set up hooks in order to execute their contracts before and after the claim prize. When there is a claim, the Vault._claimPrize() function search if the winner has a configured hook, it calls the winnerContractHook.beforeClaimPrize() functon then after the prize is claimed, it executes the winnerContractHook.afterClaimPrize() function.
The problem is that all the transaction gas is sent to those external calls. Since there is not gas limit in each external call, the
Vault._claimPrize()
function may be reverted by out of gas error OR the claimer may waste more gas than it should be for the claim process.Winners maliciously/accidentally can setup hooks that consume all the available gas or make claimer to waste more gas than it should be.
Proof of Concept
The
1053 and 1068
code lines call the winner's contract without any limit of the gas sent to those external calls.Tools used
Manual review
Recommended Mitigation Steps
Add gas limitation to each winner external call. Additionally, implements a function which helps the winner claim his own prize.
Assessed type
call/delegatecall