Front-Running Risk in setDrawManager Function

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299-L306

Vulnerability details

The setDrawManager function in the provided contract is also susceptible to front-running attacks. This means that if there is a pending transaction to set a new draw manager, an attacker can observe that transaction and submit their own transaction with a higher gas price to set themselves as the draw manager before the original transaction gets confirmed. By front-running the draw manager assignment, the attacker can take control over the draw manager role and potentially manipulate the contract's behavior.

Impact

An attacker can front-run the draw manager assignment and gain unauthorized control over the draw manager role. As the draw manager, they can manipulate draws, alter prize distributions, or disrupt the contract's intended functionality. This can lead to unfair distribution of prizes, financial loss, or other undesirable consequences.

Proof of Concept

To exploit this vulnerability, an attacker can monitor pending transactions and submit their transaction with a higher gas price to set themselves as the draw manager:

// Deploy the contract and wait for a pending transaction to set the draw manager
// Observe the pending transaction details, including the gas price

// Submit a competing transaction with a higher gas price to set attackerAddress as the draw manager
prizePool.setDrawManager(attackerAddress);

Tools Used

manual

Recommended Mitigation Steps

Introduce a delay mechanism that allows time for the initial transaction to confirm before accepting subsequent draw manager assignment transactions.

Assessed type

Other

[c4-judge]

Picodes marked the issue as duplicate of #356

[c4-judge]

Picodes marked the issue as satisfactory