Draw timeout is implemented incorrectly. Draw timeout is supposed to be the number of draws that can be missed:
The maximum number of draws that can be missed before the prize pool is considered inactive.
But the implementation is incorrect. Since a draw can only be awarded after the draw's completion, even when no draw has been missed, the implementation will consider this as a missed draw and hence will shutdown the prize pool. For eg: in case the drawTimeout is set to 1, then it will for sure be shutdown since the next draw can only be awarded after (closingTime(prevAwardedDrawID + 1))
Impact
User's creating vaults based on the documentation above will have 1 draw reduced from the expected
hash
medium
Incorrect implementation of
drawTimeout
Summary
Incorrect implementation of
drawTimeout
Vulnerability Detail
Draw timeout is implemented incorrectly. Draw timeout is supposed to be the number of draws that can be missed:
The maximum number of draws that can be missed before the prize pool is considered inactive.
But the implementation is incorrect. Since a draw can only be awarded after the draw's completion, even when no draw has been missed, the implementation will consider this as a missed draw and hence will shutdown the prize pool. For eg: in case the drawTimeout is set to 1, then it will for sure be shutdown since the next draw can only be awarded after (closingTime(prevAwardedDrawID + 1))
Impact
User's creating vaults based on the documentation above will have 1 draw reduced from the expected
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-prize-pool/src/PrizePool.sol#L283
Tool used
Manual Review
Recommendation
Update the documentation or update the code to follow the documentation
Duplicate of #28