New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious vault owners can steal the PrizePool's Reserves as well as contributions made by EOA to other vaults. #220
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-147
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Jul 13, 2023
Picodes marked the issue as duplicate of #295 |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #295 |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #200 |
Picodes marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Aug 6, 2023
Yes! The source of truth for this is the current label on the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-147
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/main/src/PrizePool.sol#L311-L330
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/main/src/PrizePool.sol#L498-L502
Vulnerability details
Impact
Proof of Concept
PrizePool:increaseReserve()
which will transfer the specified amount of PrizeTokens into the PrizePool & will update the_reserve
variable to reflect the number of new tokens added as a reserveprizeToken.balanceOf(address(this))
will return the reserves + any other amount of tokens that have been received on the PrizePool contract.The
PrizePool:contributePrizeTokens()
function allows anybody to contribute PrizeTokens on behalf of any Vault.Now that we have more context about how the PrizePool reserves and how PrizeTokens contributions are made, let's analyze the reason for the vulnerability and how it can be exploited.
So, for any of the two processes, the end result is an increase in the balance of PrizeTokens that the PrizePool contract holds.
That being said, the reserves can be stolen as follows:
After the reserves have been increased a malicious vault owner calls the
PrizePool:contributePrizeTokens()
and sends the_prizeVault
as the address of his own vault, and the_amount
as the exact amount of reserves that were deposited._amount
of PrizeTokens into the PrizePool contract when calculating the_deltaBalance
because is not discounting the _reserves it will leave the exact amount of reserves that the PrizePool contract is holding._deltaBalance
will be used to update thevaultAccumulator
& thetotalAccumulator
variables.As a result, the tokens of the reserve have been stolen and credited to the vault of the malicious owner, and now the PrizePool contract doesn't have enough tokens to back up the reserves that are tracked by the
_reserve
variableAs for stealing other's vault contributions:
The attacker can accumulate all the stolen tokens on his vault and increase the _vault's contributions of his vault. Later, the attacker can claim those tokens by calling the Vault::claimPrizes() and passing the parameters in a way that one of his accounts will win the prize and get away with all the stolen PrizeTokens that were used to fund the Prize Pool of that vault.
Tools Used
Manual Audit
Recommended Mitigation Steps
First of all, make sure to discount the reserves from the _deltaBalance, in this way, the _deltaBalance won't consider the reserves as part of the contributions.
Also, make sure to add a safe path to cover the edge case when an external entity to the vault (could be the vault's owner) would like to contribute extra Prize Tokens to its vault and wouldn't like to go through the liquidation process
Assessed type
Other
The text was updated successfully, but these errors were encountered: