rudhra1749 - PricePool.sol:contributePrizeTokens wrong accounting of price tokens

[sherlock-admin3]

rudhra1749

high

PricePool.sol:contributePrizeTokens wrong accounting of price tokens

rudhrabehara

high

can manipulate accounting of price tokens

Summary

accounting of pricetoken contribution can be manipulated

Vulnerability Details

if vault A contributes x tokens then before accounting this amount on behalf of vault A if a malicious actor calls this function on behalf of vault B then the given amount of pricetoken will be accounted on behalf of vault B instead of Vault A then the chances of winning prices of vault B will increase without actually contributing and chances of vault A winning prices will decrease even though it contributes.Malicious actor can repeat this with all vaults and change the way pricetoken are accounted in pricepool. https:pt-v5-prize-pool/src/PrizePool.sol https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L412-L422

function contributePrizeTokens(address _prizeVault, uint256 _amount) public returns (uint256) {
    uint256 _deltaBalance = prizeToken.balanceOf(address(this)) - accountedBalance();
    if (_deltaBalance < _amount) {
        revert ContributionGTDeltaBalance(_amount, _deltaBalance);
    }
    uint24 openDrawId_ = getOpenDrawId();
    _vaultAccumulator[_prizeVault].add(_amount, openDrawId_); 
    _totalAccumulator.add(_amount, openDrawId_);
    emit ContributePrizeTokens(_prizeVault, openDrawId_, _amount);
    return _deltaBalance;
}

Impact

chances of winning of vaults can be manipulated

Code Snippet

Tool used

Manual Review

Recommendation

check weather the given vault is actually contributing the given amount of price tokens to price pool or not.

Duplicate of #56

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

infect3d commented:

its exepected to call contributePrizeToken in the same call as the transfer