Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 86/111
Findings: 1
Award: $19.29
π Selected for report: 0
π Solo Findings: 0
π Selected for report: Udsen
Also found by: 0x11singh99, 0xPsuedoPandit, Daniel526, Darwin, Inspecktor, Jorgect, Nyx, Praise, Tripathi, YY, catellatech, namx05, squeaky_cactus, xuwinnie
19.2867 USDC - $19.29
The prizePool contract is using a drawManager to call some importan function in the prizePool like withdrawReserve to withdraw the resever, closeDraw function in which it setting the winningNumber.
The drawManager is set in the contructor but also have a function to change it. This function itΒ΄s not implementing any access control or modifier to prevent that this function will be call it by a malicius user.
A malicius user can change the drawManager and withdraw the resever or call a closeDraw and set his own winning number
We can analyze the function and the comment:
file: Breadcrumbspt-v5-prize-pool/src/PrizePool.sol /// @notice Allows a caller to set the DrawManager if not already set. /// @dev Notice that this can be front-run: make sure to verify the drawManager after construction /// @param _drawManager The draw manager function setDrawManager(address _drawManager) external { //@audit (high) evryone can set the drawmanager? if (drawManager != address(0)) { revert DrawManagerAlreadySet(); } drawManager = _drawManager; emit DrawManagerSet(_drawManager); }
For the comments "@dev Notice that this can be front-run: make sure to verify the drawManager after construction" we can assume that this function should be call it after the constructor in case that the the drawManager was not set. The problem is that this function can be call it without restrictions. permiting a malicius user becoming it self the drawManager and withdraw the resever:
file: Breadcrumbspt-v5-prize-pool/src/PrizePool.sol function withdrawReserve(address _to, uint104 _amount) external onlyDrawManager { if (_amount > _reserve) { revert InsufficientReserve(_amount, _reserve); } _reserve -= _amount; _transfer(_to, _amount); emit WithdrawReserve(_to, _amount); }
Or close the draw and set his own winning number:
function closeDraw(uint256 winningRandomNumber_) external onlyDrawManager returns (uint16) { ... }
manual
The contract can implement a initializer modifier in the setDrawManager function:
uint256 public initializing = 0; modifier initializer(){ if (initializing == 1){ revert; } initializing=1; } function setDrawManager(address _drawManager) external initializer{ ... }
The contract can add onlyDrawManager in the setDrawManager function:
function setDrawManager(address _drawManager) external onlyDrawManager{ ... }
Access Control
#0 - c4-judge
2023-07-14T22:59:19Z
Picodes marked the issue as duplicate of #356
#1 - c4-judge
2023-08-06T10:31:36Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-08-06T10:32:21Z
Picodes marked the issue as satisfactory