Platform: Code4rena
Start Date: 02/08/2023
Pot Size: $42,000 USDC
Total HM: 13
Participants: 45
Period: 5 days
Judge: hickuphh3
Total Solo HM: 5
Id: 271
League: ETH
Rank: 33/45
Findings: 1
Award: $89.63
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Aymen0909
Also found by: 0xStalin, 0xbepresent, Arz, D_Auditor, Jorgect, T1MOH, bin2chen, dirk_y, josephdara, ptsanev, rvierdiiev, seerether, shirochan, trachev
89.6296 USDC - $89.63
In RngRelayAuction.sol the rngComplete function is meant to be called only by the rngAuctionRelayer contract, however, it can currently be called by any user. Consequently any random number can be used to close a prize pool draw, benefiting the malicious user. Furthermore, other function parameters such as the _rewardRecipient can be altered to further benefit the attacker and steal from the protocol and its users.
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L131-L176 We can see above that there are no checks for who the msg.sender is and the prize pool is closed with the _randomNumber parameter that can be set to any value by the attacker.
Manual review
Add an authentication check for msg.sender in the rngComplete function so that it is equal to the rngAuctionRelayer variable.
Access Control
#0 - c4-pre-sort
2023-08-08T03:02:28Z
raymondfam marked the issue as duplicate of #82
#1 - c4-judge
2023-08-14T02:47:26Z
HickupHH3 marked the issue as satisfactory