Closed sherlock-admin3 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
infect3d commented:
startDraw cannot be called again if the RNG request hasn't failed
Invalid, sponsor comments:
- invalid,
startDraw
checks to ensure that the draw ID to award has closed. SincefinishDraw
awards the draw, this will increase thedrawIdToAward
by 1 andstartDraw
will fail until the next draw closes
cu5t0mPe0
medium
After the user calls startDraw, they are unable to obtain the reward.
Summary
After calling
finishDraw
, it is still possible to callstartDraw
, causing the user to be unable to obtain the reward.Vulnerability Detail
startDraw
does not check whetherfinishDraw
has already been called. Therefore, if a user callsstartDraw
after callingfinishDraw
, the user will be unable to obtain the deserved reward.Additionally, if the user tries to call
finishDraw
again, it will fail because after the first call tofinishDraw
,awardDraw
sets the_lastAwardedDrawId
in theprizePool
to the return value ofprizePool.getDrawIdToAward
.https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/abstract/TieredLiquidityDistributor.sol#L249
When called the second time,
_lastAwardedDrawId
will be equal to the currentdrawId
.https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L460
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L467
Then, when calling
__awardDraw
, it first callsgetTotalContributedBetween
.https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L479
getTotalContributedBetween
callsgetDisbursedBetween
. Since the parameters passed before callinggetTotalContributedBetween
will setlastAwardedDrawId_ + 1
, it will trigger the following condition.https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/libraries/DrawAccumulatorLib.sol#L147-L148
Therefore, if an attacker calls
finishDraw
before a user callsstartDraw
, the user will no longer be able to call thefinishDraw
function, resulting in the loss of their deserved reward amount.For example:
After the attacker calls
startDraw
, they notice that User A is about to callstartDraw
. The attacker then front-runs the transaction and executesfinishDraw
first. At this point, User A thinks that after executingstartDraw
, they will receive a reward. However, when User A callsfinishDraw
, it will revert, causing User A to lose their reward.Impact
The user will lose the reward fee they deserve
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-draw-manager/src/DrawManager.sol#L219-L273
Tool used
Manual Review
Recommendation
It should check whether the drawId has already completed the
finishDraw
operation.