Open code423n4 opened 1 year ago
Hmm; looks like the Tier struct has an extra 16 bits available to pack. Will increase prizeSize type to uint112 and add safe casting.
asselstine marked the issue as sponsor confirmed
Picodes changed the severity to 2 (Med Risk)
Downgrading to Med as there is no proof of impact or discussion about the chances of this occurring in the report
Picodes marked the issue as satisfactory
Come to think of it, since prizes are in POOL and it's supply is 10m with 18 decimals, then prizes can never be more than ~1e25
Anyway, fixed here https://github.com/GenerationSoftware/pt-v5-prize-pool/pull/16
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/abstract/TieredLiquidityDistributor.sol#L476
Vulnerability details
Impact
In
PrizePool.sol
vaults can callclaimPrize()
function to claim prizes for winners. TheclaimPrize
calls_getTier(_tier, numberOfTiers)
function to get back the prizeSize but there is a problem in_getTier
function, lets see:As you can see it calls
_computePrizeSize
function and downcast the returned result but since it returnsuint256
by downcasting it touint96
it's possible to result in incorrect number if the value overflow (When downcasting from one type to another, Solidity will not revert but overflows). So this means there is possibiltyprizeSize
value result in incorrect prize size and vaults can't claim the prizes correctly for winners.Tools Used
Manual Review
Recommended Mitigation Steps
Check whether the result of
prizeSize
exceedstype(uint96).max
or not, if so revert the tx. I recommend to use SafeCast by OpenZeppelin for casting diffrent types safely.I also found some other downcastings in the code base but since they or pegged to vault share values and you already check for overflows, there is no problem.
Assessed type
Under/Overflow