drawManager
CAN BE SET TO A MALICIOUS ADDRESS
#431
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-06
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L278-L281
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299-L306
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L348
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L335-L342
Vulnerability details
Impact
In the
PrizePool.constructor
thedrawManager
state variable is set as follows:But it accepts even if the
params.drawManager == address(0)
. There is no input validation for the address(0) as well.The
PrizePool.setDrawManager
function is used to set thedrawManager
if not already set. But the problem here is that there is no access control for this function and any one can call this. A malicious user can front run thevalid
drawManager
assignment transaction and set a malicious address as thedrawManager
. The other issue is once thedrawManager
is set it can not be updated due to the following conditional check. Hence the contract will have to redeployed.Hence the following two functions controlled by the
onlyDrawManager
modifier will be vulnerable to attacks, since thedrawManager
is a malicious address now.PrizePool.withdrawReserve can withdraw tokens from the
reserve
to any address given in the_to
parameter. Hence this function will be vulnerable.PrizePool.closeDraw()
function can close the current open draw. This function is only callable by thedrawManager
. Hence a malicious user can get control of this function thus making this function vulnerable.Proof of Concept
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L278-L281
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299-L306
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L348
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L335-L342
Tools Used
Manaul Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to check for
address(0)
in the constructor whendrawManager
is set or to implementaccess control
in thePrizePool.setDrawManager
function so that only the admin of the contract can call this function to set thedrawManager
if it is not set already.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: