search

sherlock-audit / 2024-05-pooltogether-judging

9 stars 5 forks source link

zraxx - By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers #57

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

zraxx

medium

By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers

Summary

By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers.

Vulnerability Detail

In the functoin Claimer.sol#claimPrizes, users could claim prizes in batches on behalf of others or for themself. For canary tiers’ prizes, the feePerClaim is fixed(i.e., prizeSize).

    if (prizePool.isCanaryTier(_tier)) {
      return prizePool.getTierPrizeSize(_tier);
    }

As for other tiers’ prizes, the feePerClaim is related to the elapsedTime and claimedCount. When claimedCount is larger, feePerClaim will be lower. Therefore, in order to reduce the feePerClaim of other tiers, malicious users can claim prizes on the canary tiers at the beginning of the claiming time (i.e., the elapsed time is 0), thereby increasing the claimedCount. Since thefeePerClaim at the canary tiers is fixed, malicious users can reduce the fees that other feeRecipients can obtain at zero cost.

Impact

Malicious users can reduce the claim fee at other tiers.

Code Snippet

https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-claimer/src/Claimer.sol#L208-L242

https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-claimer/src/libraries/LinearVRGDALib.sol#L40-L96

Tool used

Manual Review

Recommendation

Count the number of claimed for each tier separately.

Duplicate of #124

sherlock-admin4 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

infect3d commented:

design