Back to MiniGlome's contests

PoolTogether - MiniGlome's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 33/111

Findings: 1

Award: $569.07

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: rvierdiiev

Also found by: MiniGlome

Labels

bug
2 (Med Risk)
satisfactory
duplicate-115

Awards

569.0704 USDC - $569.07

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-claimer/blob/57a381aef690a27c9198f4340747155a71cae753/src/Claimer.sol#L60

Vulnerability details

##Impact A malicious user is able to claim the prizes without having to compete in the bot race

##Proof of concept When claimPrizes() is called to claim the prizes on behalf of the users, it is possible to frontrun this call and get the claiming reward by replacing the _feeRecipient address.

##Recommended Mitigation Steps The protocol should implement an anti-frontrunning strategy such as the LibSubmarine (https://libsubmarine.org/)

Assessed type

Timing

#0 - c4-judge

2023-07-18T17:46:13Z

Picodes marked the issue as unsatisfactory: Invalid

#1 - c4-judge

2023-08-08T13:13:56Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-08-08T13:14:36Z

Picodes marked the issue as duplicate of #115

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter