c4-pre-sort
commented
1 year ago raymondfam marked the issue as duplicate of #82
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago raymondfam marked the issue as duplicate of #82
c4-judge
commented
1 year ago HickupHH3 marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L131-L176
Vulnerability details
Impact
In RngRelayAuction.sol the rngComplete function is meant to be called only by the rngAuctionRelayer contract, however, it can currently be called by any user. Consequently any random number can be used to close a prize pool draw, benefiting the malicious user. Furthermore, other function parameters such as the _rewardRecipient can be altered to further benefit the attacker and steal from the protocol and its users.
Proof of Concept
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L131-L176 We can see above that there are no checks for who the msg.sender is and the prize pool is closed with the _randomNumber parameter that can be set to any value by the attacker.
Tools Used
Manual review
Recommended Mitigation Steps
Add an authentication check for msg.sender in the rngComplete function so that it is equal to the rngAuctionRelayer variable.
Assessed type
Access Control