User can claim rewards when not all prizes are distributed yet

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-02-thruster/blob/main/thruster-protocol/thruster-treasure/contracts/ThrusterTreasure.sol#L104

Vulnerability details

Proof of Concept

One round can have multiple prizes. When owner selects winner of prizes, then he do that in different transactions for each prize of the round.

Using claimPrizesForRound function user can claim his prizez by round. In order to claim round should be already finished and winners of first prize are selected.

Then function loops through all prizes and their winners to detect if user have won. In the end it removes his data for the round.

As owner should provide winners for each prize of the round separately, it's possible that user will call claimPrizesForRound before all prizes are processed. Thus his data will be removed and in case if he will be winner of another prize that was not processed yet, then he will not be able to claim it.

This situation is possible, because once user detects, that he won, he can immediately claim that prize and lose next one.

Impact

User can lose prizes

Tools Used

VsCode

Recommended Mitigation Steps

Better have separate variable to detect that all prizes were processed and possible to claim, or allow to claim only previous rounds, not current.

Assessed type

Error

[c4-judge]

0xleastwood marked the issue as duplicate of #28

[c4-judge]

0xleastwood marked the issue as satisfactory

[c4-judge]

0xleastwood changed the severity to QA (Quality Assurance)

[c4-judge]

This previously downgraded issue has been upgraded by 0xleastwood