Anyone can revoke the chances to win for any other user. A malicious actor can use the vulnerability to exclude big depositors from the draws, thus increasing the malicious actor's chances to win prizes.
Allows users to revoke their chances to win by delegating to the sponsorship address.
The vulnerability is that the sponsor function can be called on any address, without the address' owner permission. A malicious actor can call the sponsor address with the amount of assets set to 0 (or 1 wei) and the receiver address set to the address of a whale (the top holder of shares). _twabController.sponsor will be called with the whale's address, and all their shares will be delegated to the sponsorship address, thus completely preventing the whale from participating in draws.
As can be seen from the _transferDelegateBalance function, when delegating to the sponsorship address, the delegated balance of the user and the total supply is decreased. This will create a new observation with the delegate balance of the whale set to 0. The TWAB of a user is the most important metric when determining if the user is a winner in a draw or not. Thus, by delegating user's balance to the sponsorship address, the TWAB of the user will be reduced, thus reducing their chances to win draws. Since the sponsor function can be called on any address, it can also be used to un-delegate all the tokens delegated to the victim, to reduce the victim's delegated balance to 0 and totally exclude them from competing for draws.
Tools Used
Manual review
Recommended Mitigation Steps
In the Vault.sponsor and Vault.sponsorWithPermit functions, consider setting the receiver parameter to msg.sender and consider disallowing the caller to specify it.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L988
Vulnerability details
Impact
Anyone can revoke the chances to win for any other user. A malicious actor can use the vulnerability to exclude big depositors from the draws, thus increasing the malicious actor's chances to win prizes.
Proof of Concept
The Vault.sponsor function allows the caller to:
As per the definition of the sponsorship address (TwabController.sol#L23-L24):
The vulnerability is that the
sponsor
function can be called on any address, without the address' owner permission. A malicious actor can call thesponsor
address with the amount of assets set to 0 (or 1 wei) and the receiver address set to the address of a whale (the top holder of shares)._twabController.sponsor
will be called with the whale's address, and all their shares will be delegated to the sponsorship address, thus completely preventing the whale from participating in draws.As can be seen from the _transferDelegateBalance function, when delegating to the sponsorship address, the delegated balance of the user and the total supply is decreased. This will create a new observation with the delegate balance of the whale set to 0. The TWAB of a user is the most important metric when determining if the user is a winner in a draw or not. Thus, by delegating user's balance to the sponsorship address, the TWAB of the user will be reduced, thus reducing their chances to win draws. Since the
sponsor
function can be called on any address, it can also be used to un-delegate all the tokens delegated to the victim, to reduce the victim's delegated balance to 0 and totally exclude them from competing for draws.Tools Used
Manual review
Recommended Mitigation Steps
In the
Vault.sponsor
andVault.sponsorWithPermit
functions, consider setting the receiver parameter tomsg.sender
and consider disallowing the caller to specify it.Assessed type
Other