Closed code423n4 closed 11 months ago
The fee hasn't been withdrawn yet; the fee is withdrawn in this function: withdrawClaimRewards().
You can see that it calls the _transfer function, which increases the total withdrawn.
asselstine marked the issue as sponsor disputed
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L459 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L473 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L830-L833 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L743-L746 https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L312
Vulnerability details
Impact
In the
PrizePool.ClaimPrize
function is used to claim the rewards of the verified winner. Here when sending the Prize amount to the winner a_fee
amount is deducted from it as shown below:And this
amount
is transferred to thewinner
of the draw by calling the_transfer
functin as shown below:In the
PrizePool._transfer
function the_totalWithdrawn
state variable is updated with the prize amount as shown below:But the issue here is that the
_totalWithdrawn
is updated without the_fee
amount. Hence the_totalWithdrawn
does not indicate the total liquidity that has been withdrawn (in the form of prizes) from the beginning.The
_totalWithdrawn
is used in thePrizePool._accountedBalance
function to calculate the number of tokens that have accounted for. But this calculation is wrong since the_fee
amount is excluded in the_totalWithdrawn
value.Since the
_accountedBalance
is used inside theVault.liquidate
function for a conditional check in calculating thePrize Pool
tokens to be transferred to theaccumulator
, the above error could propagate to break the accounting of the critical functions and their conditional checks.Proof of Concept
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L459
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L473
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L830-L833
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L743-L746
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L312
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to update the
_totalWithdrawn
inside thePrizePool.ClaimPrize
function with the total Prize amount before the_fee
is deducted as shown below:Assessed type
Other