M-24 MitigationConfirmed

[code423n4]

Lines of code

Vulnerability details

Comments

The V5 implementation incentivises claimers to claim prizes for any prize winners for every draw. The claimers are bots and they will try to batch claims together in a single call where possible. When a claimer is sufficiently incentivised to make a claim based on the current auction price, they will call claimPrize with the batch of prizes they want to claim for. However a malicious user could frontrun the bot and claim the last prize that the bot wants to claim in its batch. As a result the bot’s claim will fail after spending a significant amount of gas on all the preceding claims in the batch (that will obviously also revert).

Mitigation

The updated logic does a few new things to prevent prize claim griefing. Firstly, the prize pool now returns 0 rather than reverting if a prize has been claimed already. This is the key change that prevents the griefing. Secondly, the prize claiming logic has been mainly pulled out of the Vault and simplified to a single method that can be called by the claimer. The underlying logic has not been changed (for this mitigation, but it has for another reported issue in the original audit). Finally the claimer contract has been updated to safely continue if a prize has already been claimed and just emit an event. There is also an additional _minVrgdaFeePerClaim argument that can be used by the Claimer to ensure they are receiving at least as many fees as they are expecting per claim. The whole set of changes properly resolves the original issue.

Conclusion

LGTM

[c4-judge]

Picodes marked the issue as satisfactory