By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers
Summary
By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers.
Vulnerability Detail
In the functoin Claimer.sol#claimPrizes, users could claim prizes in batches on behalf of others or for themself. For canary tiers’ prizes, the feePerClaim is fixed(i.e., prizeSize).
if (prizePool.isCanaryTier(_tier)) {
return prizePool.getTierPrizeSize(_tier);
}
As for other tiers’ prizes, the feePerClaim is related to the elapsedTime and claimedCount. When claimedCount is larger, feePerClaim will be lower. Therefore, in order to reduce the feePerClaim of other tiers, malicious users can claim prizes on the canary tiers at the beginning of the claiming time (i.e., the elapsed time is 0), thereby increasing the claimedCount. Since thefeePerClaim at the canary tiers is fixed, malicious users can reduce the fees that other feeRecipients can obtain at zero cost.
Impact
Malicious users can reduce the claim fee at other tiers.
zraxx
medium
By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers
Summary
By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers.
Vulnerability Detail
In the functoin Claimer.sol#claimPrizes, users could claim prizes in batches on behalf of others or for themself. For canary tiers’ prizes, the feePerClaim is fixed(i.e., prizeSize).
As for other tiers’ prizes, the feePerClaim is related to the elapsedTime and claimedCount. When claimedCount is larger, feePerClaim will be lower. Therefore, in order to reduce the feePerClaim of other tiers, malicious users can claim prizes on the canary tiers at the beginning of the claiming time (i.e., the elapsed time is 0), thereby increasing the claimedCount. Since thefeePerClaim at the canary tiers is fixed, malicious users can reduce the fees that other feeRecipients can obtain at zero cost.
Impact
Malicious users can reduce the claim fee at other tiers.
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-claimer/src/Claimer.sol#L208-L242
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-claimer/src/libraries/LinearVRGDALib.sol#L40-L96
Tool used
Manual Review
Recommendation
Count the number of claimed for each tier separately.
Duplicate of #124