search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

_winningRandomNumber vartiable used in calculating if caller is winner can be read via web3.getStorageAt() and user can predict if he wins or not before hand #466

Closed code423n4 closed 11 months ago

code423n4 commented 12 months ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L237

Vulnerability details

Impact

the variable _winningRandomNumber used in isWinner() to calc if caller has won the tier can be read, and the calculation can be predicted.

Proof of Concept

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L237C41-L237C41

that a variable is marked internal doesnt mean it cannot be read

Tools Used

vs code

Recommended Mitigation Steps

find better ways to do the determination of the winner

Assessed type

Other

Picodes commented 11 months ago

The variable can be read but is only disclosed after the winner has been fixed. How can this be used in an attack?

c4-judge commented 11 months ago

Picodes marked the issue as unsatisfactory: Invalid