Winners in Claimable may game claimer bots by claiming the prize when the beforeHook is called on the hook
Summary
Claimer::claimPrizes() goes through a list of winners and prizes and claims prizes from the PrizePool on behalf of users, but winners may exploit the hook available in Claimable to always steal the fee of the Claimer bot.
Vulnerability Detail
Claimer::claimPrizes() is called by bots, who sponsor prize claiming for users in return of prize fees given by the VRGDA auction in Claimer.
Each PrizeVault inherits the Claimable contract, which allows winners setting a hook to any smart contract in their control, which is called before and after prizes from the PrizePool are claimed.
However, this hook allows malicious winners to completely steal the fees of the claimer bots in the beforeHook hook by claiming the prize in the hook itself. Thus, the claimer bot is paying the gas costs, but winners guarantee that the claiming fees go to them. The PrizePool::claimPrize() reverts for the claimer bot as it was already claimed, but the transaction still goes through as it is wrapped in a try/catch statement in Claimer::_claim().
Malicious winners may frontrun the claimer bot and set a new hook that implements the malicious logic so bots are tricked.
Impact
Claimer fees are completely gamed by malicious winners that frontrun claimer bots and claim the fees for themselves in the beforeHook.
0x73696d616f
high
Winners in
Claimablemay game claimer bots by claiming the prize when thebeforeHookis called on the hookSummary
Claimer::claimPrizes()goes through a list of winners and prizes and claims prizes from thePrizePoolon behalf of users, but winners may exploit the hook available inClaimableto always steal the fee of theClaimerbot.Vulnerability Detail
Claimer::claimPrizes()is called by bots, who sponsor prize claiming for users in return of prize fees given by the VRGDA auction inClaimer.Each
PrizeVaultinherits theClaimablecontract, which allows winners setting a hook to any smart contract in their control, which is called before and after prizes from thePrizePoolare claimed.However, this hook allows malicious winners to completely steal the fees of the claimer bots in the
beforeHookhook by claiming the prize in the hook itself. Thus, the claimer bot is paying the gas costs, but winners guarantee that the claiming fees go to them. ThePrizePool::claimPrize()reverts for the claimer bot as it was already claimed, but the transaction still goes through as it is wrapped in a try/catch statement inClaimer::_claim().Malicious winners may frontrun the claimer bot and set a new hook that implements the malicious logic so bots are tricked.
Impact
Claimer fees are completely gamed by malicious winners that frontrun claimer bots and claim the fees for themselves in the
beforeHook.Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-claimer/src/Claimer.sol#L162 https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-vault/src/abstract/Claimable.sol#L87
Tool used
Manual Review
Vscode
Recommendation
Implement a reentrancy lock to not allow before hooks reentering and stealing the fees of the claimer bots.
Duplicate of #73