search

code-423n4 / 2024-02-thruster-findings

2 stars 1 forks source link

Time to enter the tickets and claim the prize is highly uncertain due to setWinningTickets() can be called at any time #20

Closed c4-bot-7 closed 7 months ago

c4-bot-7 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-thruster/blob/3896779349f90a44b46f2646094cb34fffd7f66e/thruster-protocol/thruster-treasure/contracts/ThrusterTreasure.sol#L269-L292 https://github.com/code-423n4/2024-02-thruster/blob/3896779349f90a44b46f2646094cb34fffd7f66e/thruster-protocol/thruster-treasure/contracts/ThrusterTreasure.sol#L83-L96 https://github.com/code-423n4/2024-02-thruster/blob/3896779349f90a44b46f2646094cb34fffd7f66e/thruster-protocol/thruster-treasure/contracts/ThrusterTreasure.sol#L102-L120

Vulnerability details

Impact

Time left for a user to enter tickets and claim the prize is highly uncertain due to setWinningTickets() can be called at any time. This may result in a user doesn't have enough time to enter tickets or claim the prize.

Proof of Concept

When enterTickets(), this requirement should be satisfied:

require(winningTickets[currentRound_][0].length == 0, "ET");

and when claimPrizesForRound(), this requirement should be satisfied:

require(roundStart[roundToClaim] + MAX_ROUND_TIME >= block.timestamp, "ICT");
require(winningTickets[roundToClaim][0].length > 0, "NWT");

The requirement relies on winningTickets[roundToClaim][0].length, which is updated through setWinningTickets(), this function can be called any time between start and start + max_round_time:

require(roundStart[_round] + MAX_ROUND_TIME >= block.timestamp, "ICT");

So it's not sure when this function will be called. If it's called very early, a user don't have enough time to enter the tickets, if it's called very late, users may don't have enough time to claim their prize.

Tools Used

Manual Review

Recommended Mitigation Steps

select fixed time for each phase. Like 10 days to enter the tickets, then 1 day to set prize and 3 days to collect the prize.

Assessed type

Other

jooleseth commented 8 months ago

This is handled off chain, don't consider this a bug. Determining the enter tickets period and when the winning tickets are drawn will be communicated clearly to the end user

c4-judge commented 8 months ago

0xleastwood marked the issue as satisfactory

c4-sponsor commented 8 months ago

jooleseth (sponsor) disputed

0xleastwood commented 8 months ago

Seems that this will be correctly handled and communicated off-chain.

c4-judge commented 8 months ago

0xleastwood changed the severity to QA (Quality Assurance)

c4-judge commented 8 months ago

This previously downgraded issue has been upgraded by 0xleastwood

c4-judge commented 8 months ago

0xleastwood removed the grade

c4-judge commented 8 months ago

0xleastwood changed the severity to QA (Quality Assurance)

c4-judge commented 7 months ago

This previously downgraded issue has been upgraded by 0xleastwood

c4-judge commented 7 months ago

0xleastwood marked the issue as duplicate of #28

c4-judge commented 7 months ago

0xleastwood marked the issue as satisfactory