An attacker can call the contributePrizeTokens function with a lower amount of tokens than claimed, misleading the contract to update the accumulator and emit the event based on the incorrect amount. As a result, the prize pool's internal state will be inconsistent, and participants may not receive the correct rewards.
Proof of Concept
In the contributePrizeTokens function, the amount of tokens being contributed is not verified against the actual token transfer made by the caller. The contract assumes that the caller has already transferred the correct amount of tokens to the contract before calling the function.
This vulnerability can be exploited by an attacker to manipulate the prize pool's state and potentially drain the tokens from the contract.
Tools Used
Manual
Recommended Mitigation Steps
Add require(msg.value == _amount, "Tokens not transferred") to the contributePrizeTokens function
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L311-L330
Vulnerability details
Impact
An attacker can call the contributePrizeTokens function with a lower amount of tokens than claimed, misleading the contract to update the accumulator and emit the event based on the incorrect amount. As a result, the prize pool's internal state will be inconsistent, and participants may not receive the correct rewards.
Proof of Concept
In the contributePrizeTokens function, the amount of tokens being contributed is not verified against the actual token transfer made by the caller. The contract assumes that the caller has already transferred the correct amount of tokens to the contract before calling the function. This vulnerability can be exploited by an attacker to manipulate the prize pool's state and potentially drain the tokens from the contract.
Tools Used
Manual
Recommended Mitigation Steps
Add require(msg.value == _amount, "Tokens not transferred") to the contributePrizeTokens function
Assessed type
Token-Transfer