Picodes
commented
1 year ago So this report is about the speed of the VRGDA being potentially too fast, but I don't see where in the code the issue would be or who the malicious actor is
Closed code423n4 closed 1 year ago
Picodes
commented
1 year ago So this report is about the speed of the VRGDA being potentially too fast, but I don't see where in the code the issue would be or who the malicious actor is
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/GenerationSoftware/pt-v5-claimer/blob/57a381aef690a27c9198f4340747155a71cae753/src/libraries/LinearVRGDALib.sol#L39
Vulnerability details
Impact
A malicious actor can grief a low-tier prize winner by taking advantage of the VRGDA system to make the period at which fee prices are reasonable extremely short. The gas price for this short period of time will dictate if the prize gets claimed.
Proof of Concept
The fees paid for claiming prizes to bots are calculated based on a variable rate gradual reverse Dutch auction where they start at 0 at time 0 and are incremented until the target price at the target time. This mechanism gradually increases the fee price it's willing to offer to bots for executing the prize claims. The target time is the draw period and the target price is the maxFee that the protocol is willing to pay per claim.
It compares the amount sold to the expected amount sold at the current time, and the result will dictate how sharply it increases the price. If too many are being sold relative to what's expected, the following price calculations will result in a really low price, which won't increase much until the current time catches up with the expected time at which the number of units that were sold was supposed to be sold.
A bot could claim all the prizes except the high tier 0 prize. In an example with 10.000 prizes to claim, if a bot were to buy 9.999 fees at the beginning of the auction, this would leave a really low price until the current time is actually close to the expected time at which 9.999 fees should be sold, meaning at time 9.999/10.000 of the draw period.
This means that only at the last moment would prices start scaling up, which leaves bots with a small margin of time at which they can buy fees at a reasonable price. This puts extra pressure on the gas price at that time, which can cause bots to skip the claiming of that prize since the gas cost of claiming that prize is no longer profitable.
Tools Used
Manual Review
Recommended Mitigation Steps
Setting a shorter time period for the VRGDA, and leaving a time period where maxFee has been reached to counter the pressure.
Assessed type
Timing