PricePool.sol:contributePrizeTokens wrong accounting of price tokens
rudhrabehara
high
can manipulate accounting of price tokens
Summary
accounting of pricetoken contribution can be manipulated
Vulnerability Details
if vault A contributes x tokens then before accounting this amount on behalf of vault A if a malicious actor calls this function on behalf of vault B then the given amount of pricetoken will be accounted on behalf of vault B instead of Vault A then the chances of winning prices of vault B will increase without actually contributing and chances of vault A winning prices will decrease even though it contributes.Malicious actor can repeat this with all vaults and change the way pricetoken are accounted in pricepool.
https:pt-v5-prize-pool/src/PrizePool.sol
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L412-L422
rudhra1749
high
PricePool.sol:contributePrizeTokens wrong accounting of price tokens
rudhrabehara
high
can manipulate accounting of price tokens
Summary
accounting of pricetoken contribution can be manipulated
Vulnerability Details
if vault A contributes x tokens then before accounting this amount on behalf of vault A if a malicious actor calls this function on behalf of vault B then the given amount of pricetoken will be accounted on behalf of vault B instead of Vault A then the chances of winning prices of vault B will increase without actually contributing and chances of vault A winning prices will decrease even though it contributes.Malicious actor can repeat this with all vaults and change the way pricetoken are accounted in pricepool. https:pt-v5-prize-pool/src/PrizePool.sol https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-prize-pool/src/PrizePool.sol#L412-L422
Impact
chances of winning of vaults can be manipulated
Code Snippet
Tool used
Manual Review
Recommendation
check weather the given vault is actually contributing the given amount of price tokens to price pool or not.
Duplicate of #56