search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

When expanding the number of tiers during a new draw, the prizeTokenPerShare of the new Tiers is not the right one #271

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/abstract/TieredLiquidityDistributor.sol#L361-L366

Vulnerability details

Impact

New created tiers will have the wrong prizeTokenPerShare

Proof of Concept

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/abstract/TieredLiquidityDistributor.sol#L361-L366

Tools Used

VSC

Recommended Mitigation Steps

Line 364, set 'newPrizeTokenPerShare' instead of 'prizeTokenPerShare' as the new Tier prizeTokenPerShare.

Assessed type

Error

asselstine commented 1 year ago

The tier prizeTokenPerShare is how much liquidity has already been consumed by the tier. That's why, for new tiers, it sets the prizeTokenPerShare for each tier to the previous amount. The new tiers only have liquidity for the most recently completed draw.

Like so: available tier liquidity = (newPrizeTokenPerShare - tier's prizeTokenPerShare) * tier shares

As prizes are consumed for a tier, the tier's prizeTokenPerShare will increase.

c4-sponsor commented 1 year ago

asselstine marked the issue as sponsor disputed

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid