Essentially anyone can call Vault.sponsor to deposit any amount of assets (even 0) to any receiver and the TwabController will then re-delegate the whole balance from the current delegate of the receiver to the SPONSORSHIP_ADDRESS.
Tools Used
Manual Review
Recommended Mitigation Steps
Sponsoring should be restricted to msg.sender as receiver
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L988 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L480-L482
Vulnerability details
Impact
Anyone can delegate someone elses balance to the sponsorship address, increasing their own likelihood of winning, while voiding the victims chance.
Proof of Concept
The issue is in the call-chain starting with
Vault.sponsor
:Essentially anyone can call
Vault.sponsor
to deposit any amount of assets (even 0) to any receiver and the TwabController will then re-delegate the whole balance from the current delegate of the receiver to theSPONSORSHIP_ADDRESS
.Tools Used
Manual Review
Recommended Mitigation Steps
Sponsoring should be restricted to
msg.sender
as receiverAssessed type
Invalid Validation