Back to T1MOH's contests

PoolTogether V5: Part Deux - T1MOH's results

A protocol for no-loss prize savings.

General Information

Platform: Code4rena

Start Date: 02/08/2023

Pot Size: $42,000 USDC

Total HM: 13

Participants: 45

Period: 5 days

Judge: hickuphh3

Total Solo HM: 5

Id: 271

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 26/45

Findings: 1

Award: $89.63

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: Aymen0909

Also found by: 0xStalin, 0xbepresent, Arz, D_Auditor, Jorgect, T1MOH, bin2chen, dirk_y, josephdara, ptsanev, rvierdiiev, seerether, shirochan, trachev

Awards

89.6296 USDC - $89.63

Labels

bug
3 (High Risk)
satisfactory
edited-by-warden
duplicate-82

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L131-L137

Vulnerability details

Impact

RngRelayAuction.rngComplete() misses access control. It is supposed to be called by remote owner, however it doesn't check caller. As a result anyone can withdraw all reserves manipulating random numbers.

Proof of Concept

There is no checks of msg.sender. He can manipulate all the data https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L131-L145

  function rngComplete(
    uint256 _randomNumber,
    uint256 _rngCompletedAt,
    address _rewardRecipient,
    uint32 _sequenceId,
    AuctionResult calldata _rngAuctionResult
  ) external returns (bytes32) {
    if (_sequenceHasCompleted(_sequenceId)) revert SequenceAlreadyCompleted();
    uint64 _auctionElapsedSeconds = uint64(block.timestamp < _rngCompletedAt ? 0 : block.timestamp - _rngCompletedAt);
    if (_auctionElapsedSeconds > (_auctionDurationSeconds-1)) revert AuctionExpired();
    // Calculate the reward fraction and set the draw auction results
    UD2x18 rewardFraction = _fractionalReward(_auctionElapsedSeconds);
    _auctionResults.rewardFraction = rewardFraction;
    _auctionResults.recipient = _rewardRecipient;
    _lastSequenceId = _sequenceId;

    ...
  }

Tools Used

Manual Review

As I understand, RemoteOwner must control RngRelayAuction.sol. So just add owner to RngRelayAuction.sol and check msg.sender

Assessed type

Invalid Validation

#0 - c4-pre-sort

2023-08-08T00:55:48Z

raymondfam marked the issue as low quality report

#1 - raymondfam

2023-08-08T00:56:19Z

This function deals with random numbers that had already been generated.

#2 - c4-pre-sort

2023-08-08T02:32:14Z

raymondfam marked the issue as remove high or low quality report

#3 - c4-pre-sort

2023-08-08T02:32:24Z

raymondfam marked the issue as duplicate of #82

#4 - c4-judge

2023-08-14T02:45:21Z

HickupHH3 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter