PoolTogether - Daniel526's results

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299-L306

Vulnerability details

The setDrawManager function in the provided contract allows anyone to change the draw manager address without any access control or restrictions. This lack of protection could potentially lead to unauthorized individuals or malicious users assigning themselves as the draw manager, potentially compromising the contract's functionality or security.

function setDrawManager(address _drawManager) external {
    if (drawManager != address(0)) {
        revert DrawManagerAlreadySet();
    }
    drawManager = _drawManager;
    emit DrawManagerSet(_drawManager);
}

The function takes an address _drawManager as an argument and assigns it as the new draw manager. However, it does not include any access control checks or restrictions, allowing any caller to change the draw manager. This means that any user, including malicious actors, can call this function and set themselves as the draw manager.

Impact

An unauthorized individual can assume control of the draw manager role, which may have critical permissions or responsibilities within the contract. They can manipulate draws, alter prize distributions, or disrupt the contract's intended functionality, potentially leading to financial loss or other undesirable outcomes.

Proof of Concept

An attacker can exploit this vulnerability by deploying the contract and subsequently calling the setDrawManager function with their desired address as the argument:

PrizePool prizePool = new PrizePool();
prizePool.setDrawManager(msg.sender); // Attacker sets themselves as the draw manager

Tools Used

manual

Recommended Mitigation Steps

The contract already includes a modifier called onlyDrawManager, which can be utilized to restrict access to the setDrawManager function.

Assessed type

Access Control

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299-L306

Vulnerability details

The setDrawManager function in the provided contract is also susceptible to front-running attacks. This means that if there is a pending transaction to set a new draw manager, an attacker can observe that transaction and submit their own transaction with a higher gas price to set themselves as the draw manager before the original transaction gets confirmed. By front-running the draw manager assignment, the attacker can take control over the draw manager role and potentially manipulate the contract's behavior.

Impact

An attacker can front-run the draw manager assignment and gain unauthorized control over the draw manager role. As the draw manager, they can manipulate draws, alter prize distributions, or disrupt the contract's intended functionality. This can lead to unfair distribution of prizes, financial loss, or other undesirable consequences.

Proof of Concept

To exploit this vulnerability, an attacker can monitor pending transactions and submit their transaction with a higher gas price to set themselves as the draw manager:

// Deploy the contract and wait for a pending transaction to set the draw manager
// Observe the pending transaction details, including the gas price

// Submit a competing transaction with a higher gas price to set attackerAddress as the draw manager
prizePool.setDrawManager(attackerAddress);

Tools Used

manual

Recommended Mitigation Steps

Introduce a delay mechanism that allows time for the initial transaction to confirm before accepting subsequent draw manager assignment transactions.

Assessed type

Other