c4-judge
commented
11 months ago Picodes marked the issue as duplicate of #356
Closed c4-judge closed 11 months ago
c4-judge
commented
11 months ago Picodes marked the issue as duplicate of #356
c4-judge
commented
11 months ago Picodes marked the issue as satisfactory
Judge has assessed an item in Issue #422 as 2 risk. The relevant finding follows:
[01] In the function PrizePool.setDrawManager(), anyone can frontrun it and become the drawManager Reading the documentation of the Prize Pool contract, the following is specified: The Prize Pool allows a 'draw manager' contract to complete the Draw and withdraw tokens from the reserve. In the code, on line 296, it is specified that the PrizePool.setDrawManager() function Allows a caller to set the DrawManager if not already set. This function is not protected in cases where a malicious attacker wants to front-run and take control of the draw manager permissions.
PROOF OF CONCEPT PoolTogether docs link :
The Prize Pool allows a "draw manager" contract to complete the Draw and withdraw tokens from the reserve.