You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In PrizePool.sol, if the value of _tokenCreditPlans[_controlledToken].creditRateMantissa isn't set (yet), then the function _estimateCreditAccrualTime returns 0.
This means the TimelockDuration is 0 and funds can be withdrawn immediately, defeating the entire timelock mechanism.
Handle
gpersoon
Vulnerability details
Impact
In PrizePool.sol, if the value of _tokenCreditPlans[_controlledToken].creditRateMantissa isn't set (yet), then the function _estimateCreditAccrualTime returns 0.
This means the TimelockDuration is 0 and funds can be withdrawn immediately, defeating the entire timelock mechanism.
Perhaps a different default would be useful.
Proof of Concept
// https://github.com/code-423n4/2021-06-pooltogether/blob/main/contracts/PrizePool.sol#L783
function _estimateCreditAccrualTime( address _controlledToken,uint256 _principal,uint256 _interest ) internal view returns (uint256 durationSeconds) {
uint256 accruedPerSecond = FixedPoint.multiplyUintByMantissa(_principal, _tokenCreditPlans[_controlledToken].creditRateMantissa);
if (accruedPerSecond == 0) {
return 0;
}
return _interest.div(accruedPerSecond);
}
// https://github.com/code-423n4/2021-06-pooltogether/blob/main/contracts/PrizePool.sol#L710
function _calculateTimelockDuration( address from, address controlledToken, uint256 amount) internal returns (uint256 durationSeconds, uint256 burnedCredit ) {
...
uint256 duration = _estimateCreditAccrualTime(controlledToken, amount, exitFee);
if (duration > maxTimelockDuration) {
duration = maxTimelockDuration;
}
return (duration, _burnedCredit);
}
Tools Used
Recommended Mitigation Steps
Consider the default duration for the case _tokenCreditPlans[_controlledToken].creditRateMantissa isn't set.
The text was updated successfully, but these errors were encountered: