What is default duration when creditRateMantissa is not set #10
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
gpersoon
Vulnerability details
Impact
In PrizePool.sol, if the value of _tokenCreditPlans[_controlledToken].creditRateMantissa isn't set (yet), then the function _estimateCreditAccrualTime returns 0.
This means the TimelockDuration is 0 and funds can be withdrawn immediately, defeating the entire timelock mechanism.
Perhaps a different default would be useful.
Proof of Concept
// https://github.com/code-423n4/2021-06-pooltogether/blob/main/contracts/PrizePool.sol#L783
function _estimateCreditAccrualTime( address _controlledToken,uint256 _principal,uint256 _interest ) internal view returns (uint256 durationSeconds) {
uint256 accruedPerSecond = FixedPoint.multiplyUintByMantissa(_principal, _tokenCreditPlans[_controlledToken].creditRateMantissa);
if (accruedPerSecond == 0) {
return 0;
}
return _interest.div(accruedPerSecond);
}
// https://github.com/code-423n4/2021-06-pooltogether/blob/main/contracts/PrizePool.sol#L710
function _calculateTimelockDuration( address from, address controlledToken, uint256 amount) internal returns (uint256 durationSeconds, uint256 burnedCredit ) {
...
uint256 duration = _estimateCreditAccrualTime(controlledToken, amount, exitFee);
if (duration > maxTimelockDuration) {
duration = maxTimelockDuration;
}
return (duration, _burnedCredit);
}
Tools Used
Recommended Mitigation Steps
Consider the default duration for the case _tokenCreditPlans[_controlledToken].creditRateMantissa isn't set.
The text was updated successfully, but these errors were encountered: