Prize claims can be executed by external actors to get some fees as a reward. These fees are dynamic and are limited in range, and some hooks will be executed before and after the claim.
As the fees are deducted from the prizeTotal received by the winner, they could be incentivized to create an afterClaimPrize hook that reverts the transaction when fees are too high, to maximize the total profit.
As the transaction is executed by the claimer, the winner doesn't lose anything by doing so, and at most, they can wait until the last moment before their prize expires to disable the hook.
This results in a very bad experience for claimers as their transaction will revert and they will waste gas, possibly eroding trust in the claiming system.
A vault can check the fee paid for this claim by calculating the delta between prizeTotal and prizeTotal - _fee, as they are part of the same transaction.
If this delta is too high, the vault might revert the transaction inside the afterClaimPrize hook until the market conditions are better.
Tools Used
Manual review
Recommended Mitigation Steps
Consider removing the afterClaimPrize hook to avoid this scenario.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1068-L1073
Vulnerability details
Impact
Prize claims can be executed by external actors to get some fees as a reward. These fees are dynamic and are limited in range, and some hooks will be executed before and after the claim.
As the fees are deducted from the
prizeTotal
received by the winner, they could be incentivized to create anafterClaimPrize
hook that reverts the transaction when fees are too high, to maximize the total profit.As the transaction is executed by the claimer, the winner doesn't lose anything by doing so, and at most, they can wait until the last moment before their prize expires to disable the hook.
This results in a very bad experience for claimers as their transaction will revert and they will waste gas, possibly eroding trust in the claiming system.
Proof of Concept
claimPrize
is executed between two hooks:https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1052-L1075
A vault can check the fee paid for this claim by calculating the delta between
prizeTotal
andprizeTotal - _fee
, as they are part of the same transaction.If this delta is too high, the vault might revert the transaction inside the
afterClaimPrize
hook until the market conditions are better.Tools Used
Manual review
Recommended Mitigation Steps
Consider removing the
afterClaimPrize
hook to avoid this scenario.Assessed type
DoS