Closed code423n4 closed 11 months ago
This is by design; the pricing algorithm is externalized, and it's up to the vault creator to decide how they want to tackle it.
asselstine marked the issue as sponsor disputed
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L611
Vulnerability details
Impact
The
_feePerClaim
is a user controlled parameter which tops attierLiquidity.prizeSize
for a given_tier
(see here for that). That means theCLAIMER
can set arbitrary fees for a given call toclaimPrize
to increase maliciously the collected fees with(see here)
and collect them with
withdrawClaimRewards
. The severity here is because winners will be losing part of their prizes (or everything if there is an issue with the_getTier
function inTieredLiquidityDistributor.sol
file that computes the wrongtierLiquidity.prizeSize
) because of this "arbitrage" from theCLAIMER
(for the judges' confort, so they do not go from one file to another, here is the affected code)
Tools Used
Manual analysis
Recommended Mitigation Steps
Hard-code the fees with a constant so that users will know exactly what fees are they gonna pay OR make it variable and add a function to set its value with a delay between calls to ensure the
CLAIMER
does not abuse his position doing the arbitrage previously discussedAssessed type
Other