The startDraw function can be called after the Prize Pool has become shutdown, causing a loss of funds
Summary
Once the Prize Pool has been shut down no draws can ever be awarded. The issue is that the startDraw function in the DrawManager contract can still be called, causing a loss of funds for the claimers.
Vulnerability Detail
When a claimer calls the startDraw function they are required to make a call to Witnet in order to make a request for randomness. This request is not free to make as it requires for a fee to be paid. Therefore, if a claimer makes a call to startDraw after the Prize Pool has been shut down they will not be able to claim the expected rewards for completing a start draw auction and will have lost the funds used to make the request for randomness.
trachev
medium
The
startDrawfunction can be called after the Prize Pool has become shutdown, causing a loss of fundsSummary
Once the Prize Pool has been shut down no draws can ever be awarded. The issue is that the
startDrawfunction in theDrawManagercontract can still be called, causing a loss of funds for the claimers.Vulnerability Detail
When a claimer calls the
startDrawfunction they are required to make a call to Witnet in order to make a request for randomness. This request is not free to make as it requires for a fee to be paid. Therefore, if a claimer makes a call tostartDrawafter the Prize Pool has been shut down they will not be able to claim the expected rewards for completing a start draw auction and will have lost the funds used to make the request for randomness.Impact
Loss of funds for claimers
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-draw-manager/src/DrawManager.sol#L219-L273
Tool used
Manual Review
Recommendation
The
startDrawfunction should revert if the Prize Pool is shut down.Duplicate of #26