Incorrect amount of tokens is transferred before updating the accumulator and emitting the ContributePrizeTokens event

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L311-L330

Vulnerability details

Impact

An attacker can call the contributePrizeTokens function with a lower amount of tokens than claimed, misleading the contract to update the accumulator and emit the event based on the incorrect amount. As a result, the prize pool's internal state will be inconsistent, and participants may not receive the correct rewards.

Proof of Concept

In the contributePrizeTokens function, the amount of tokens being contributed is not verified against the actual token transfer made by the caller. The contract assumes that the caller has already transferred the correct amount of tokens to the contract before calling the function. This vulnerability can be exploited by an attacker to manipulate the prize pool's state and potentially drain the tokens from the contract.

Tools Used

Manual

Recommended Mitigation Steps

Add require(msg.value == _amount, "Tokens not transferred") to the contributePrizeTokens function

Assessed type

Token-Transfer

[Picodes]

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L313

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient proof