c4-judge
commented
1 year ago Picodes changed the severity to QA (Quality Assurance)
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago Picodes changed the severity to QA (Quality Assurance)
Picodes
commented
1 year ago prizeToken will be the protocol's native token according to the documentation
c4-judge
commented
1 year ago Picodes marked the issue as grade-b
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L498-L502
Vulnerability details
Impact
Part of the contributions to the vault is recorded as a reserve. This part serves two purposes:
The reserve contribution uses increaseReserve() (https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L498-L502), allowing anyone to contribute directly to the prize pool reserve. However, it is not taken into account that some tokens tend to take a built-in commission for the transfer of a token. Thus, the PrizePool.sol account will receive less than expected. At a certain moment, there may not be any tokens in the reserve account at all. Although the contract will assume that there are tokens.
Proof of Concept
https://github.com/d-xo/weird-erc20#fee-on-transfer
Tools Used
Manual review
Recommended Mitigation Steps
In increaseReserve() write the old balance of prizeToken. Transfer the prizeToken to the contract address. Read new balance. Record the difference between the balances of the new and the old in _reserve.
Assessed type
Token-Transfer