PoolTogether - namx05's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 89/111

Findings: 1

Award: $19.29

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: Udsen

Also found by: 0x11singh99, 0xPsuedoPandit, Daniel526, Darwin, Inspecktor, Jorgect, Nyx, Praise, Tripathi, YY, catellatech, namx05, squeaky_cactus, xuwinnie

Awards

19.2867 USDC - $19.29

Labels

bug

2 (Med Risk)

downgraded by judge

satisfactory

duplicate-431

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299

Vulnerability details

Impact

The setDrawManager function lacks proper access control, allowing any address to change the drawManager variable. This can pose a security risk as it allows unauthorized users to modify critical system settings.

The absence of access control introduces the following potential risks:

Any user or contract can call the setDrawManager function and change the drawManager address.
The absence of access control undermines the trustworthiness of the smart contract, as it allows unauthorized individuals to tamper with crucial settings.

Proof of Concept

Code Snippet:

function setDrawManager(address _drawManager) external {
    if (drawManager != address(0)) {
      revert DrawManagerAlreadySet();
    }
    drawManager = _drawManager;

    emit DrawManagerSet(_drawManager);
  }

Tools Used

Manual

Recommended Mitigation Steps

To address the issue of lacking access control, it is recommended to implement proper access control mechanisms.

Assessed type

Access Control

#0 - c4-judge
2023-07-14T22:59:09Z

Picodes marked the issue as duplicate of #356

#1 - c4-judge
2023-07-14T22:59:13Z

Picodes marked the issue as duplicate of #356

#2 - c4-judge
2023-08-06T10:31:37Z

Picodes changed the severity to 2 (Med Risk)

#3 - c4-judge
2023-08-06T10:32:19Z

Picodes marked the issue as satisfactory

PoolTogether - namx05's results

A protocol for no-loss prize savings

General Information

Findings Distribution

Researcher Performance

External Links

[M-06] Lack of Access Control in `setDrawManager` Function - $19.29

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-07-14T22:59:09Z

#1 - c4-judge2023-07-14T22:59:13Z

#2 - c4-judge2023-08-06T10:31:37Z

#3 - c4-judge2023-08-06T10:32:19Z

#0 - c4-judge
2023-07-14T22:59:09Z

#1 - c4-judge
2023-07-14T22:59:13Z

#2 - c4-judge
2023-08-06T10:31:37Z

#3 - c4-judge
2023-08-06T10:32:19Z