Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 93/111
Findings: 1
Award: $15.92
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: bin2chen
Also found by: 0x11singh99, 0xWaitress, 0xbepresent, ABAIKUNANBAEV, ArmedGoose, Bauchibred, DadeKuma, GREY-HAWK-REACH, GalloDaSballo, Inspecktor, Jeiwan, Kaysoft, MohammedRizwan, Rolezn, Vagner, alexzoid, alymurtazamemon, ayden, banpaleo5, catellatech, dacian, erebus, eyexploit, fatherOfBlocks, grearlake, joaovwfreire, keccak123, kutugu, lanrebayode77, markus_ether, nadin, naman1778, rvierdiiev, squeaky_cactus, volodya, yixxas
15.9228 USDC - $15.92
_tierOdds return variable of the _computeVaultTierDetails() function call in the the PrizePool.sol::claimPrice function.The _tierOdds return variable of the _computeVaultTierDetails() function call in the the PrizePool.sol::claimPrice function shadows a state variable TieredLiquidityDistributor._tierOdds.
function claimPrize( address _winner, uint8 _tier, uint32 _prizeIndex, address _prizeRecipient, uint96 _fee, address _feeRecipient ) external returns (uint256) { Tier memory tierLiquidity = _getTier(_tier, numberOfTiers); if (_fee > tierLiquidity.prizeSize) { revert FeeTooLarge(_fee, tierLiquidity.prizeSize); } //@audit _tierOdds shadows TieredLiquidityDistributor._tierOdds @> (SD59x18 _vaultPortion, SD59x18 _tierOdds, uint16 _drawDuration) = _computeVaultTierDetails( msg.sender, _tier, numberOfTiers, lastClosedDrawId);
Rename the return variable tierOdds, of the _computeVaultTierDetails() function call in the claimPrice function.
winners and prizeIndices may be of different length.The parameters winners and prizeIndices of the function Claimer.sol::claimPrizes() may be of different lengths leading to unexpected execution and state changes.
function claimPrizes( Vault vault, uint8 tier, address[] calldata winners, uint32[][] calldata prizeIndices, address _feeRecipient ) external returns (uint256 totalFees) { uint256 claimCount; //@audit no check for same array length `winners.length == pricesIndices.length` for (uint i = 0; i < winners.length; i++) { claimCount += prizeIndices[i].length; } uint96 feePerClaim = uint96( _computeFeePerClaim( _computeMaxFee(tier, prizePool.numberOfTiers()), claimCount, prizePool.claimCount() ) ); vault.claimPrizes(tier, winners, prizeIndices, feePerClaim, _feeRecipient); return feePerClaim * claimCount; }
Add a validation to check that the winners and priceIndices arrays are of same length.
require(winners.length == pricesIndices.length, "Unequal length");
Version 0.8.17 pragma compiler used in the project. Consider using a latest stable version because it will have security bug fixes and updates. Files: all files
Consider using atleast Solidity version 0.8.19
#0 - c4-judge
2023-07-18T19:12:59Z
Picodes marked the issue as grade-b