If ThrusterTreasure.setRoot is called before winners selection, result will be wrong

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-02-thruster/blob/main/thruster-protocol/thruster-treasure/contracts/ThrusterTreasure.sol#L257

Vulnerability details

Proof of Concept

When winners are selected, then currentTickets value is used to calculate winner ticket. This value is updated, when setRoot is called and new round is started. Then everyone can add new tickets, which increases currentTickets.

In case if setRoot is called, before setWinningTickets for the current round, then setWinningTickets function will use wrong currentTickets variable and result will be incorrect.

Impact

Incorrect winners detection possible

Tools Used

VsCode

Recommended Mitigation Steps

Store info about finish of winners selection for each round. And only when it's done allow to create new round.

Assessed type

Error

[c4-judge]

0xleastwood marked the issue as satisfactory

[0xEVom]

I would classify this as an admin mistake since the function setRoot very clearly starts a new round and winning tickets can only be set for the current round.

[jooleseth]

This is an admin mistake, would consider it Low Severity given the likelihood it happens

[c4-sponsor]

jooleseth marked the issue as disagree with severity

[c4-sponsor]

jooleseth (sponsor) acknowledged

[0xleastwood]

Requires admin mistake, agree with low severity.

[c4-judge]

0xleastwood removed the grade

[c4-judge]

0xleastwood changed the severity to QA (Quality Assurance)