Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setPrizeStrategy check for Interface Supported in PrizePool.sol doesn't guarantee that the new prize strategy is valid #15

Open
code423n4 opened this issue Jun 22, 2021 · 2 comments
Labels

Comments

@code423n4
Copy link
Contributor

Handle

GalloDaSballo

Vulnerability details

Impact

The check in https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L1007

Seems to imply that a strategy is valid as long as it implements the ERC165_INTERFACE_ID_TOKEN_LISTENER.

However, any attacker could fabricate a contract that supports the interface, while still draining or locking funds.

Based on who the owner can be (whether it's the creator of the prize or governance), this can be riskier or less risky

If governance is timelocked, then the risk of setting the wrong strategy is minimal.

If the creator of the pool can be a random address, then this is effectively allowing them to attach any strategy that will steal funds without any tangible protection.

Proof of Concept

I could just copy the PrizeStrategy code, then change the deposit function to steal all funds / interest

Recommended Mitigation Steps

Checking for a property in the contract is not a security guarantee.

I would recommend having a record of all valid PrizeStrategies, controller by governance, to ensure that the only strategies that can be set are vetted by the community / governance.

@code423n4 code423n4 added bug Something isn't working 2 (Med Risk) labels Jun 22, 2021
code423n4 added a commit that referenced this issue Jun 22, 2021
@asselstine
Copy link
Collaborator

First of all there is no deposit function on the prize strategy; the prize strategy only has access to the interest earned on the principal. The prize strategy can't rug the pool.

We explicitly want to allow people to swap strategies. The risk is mitigated to the interest, so it's low risk for depositors.

@dmvt
Copy link
Collaborator

dmvt commented Aug 27, 2021

This assumes that the owner is a bad actor. If we agree that owners as bad actors constitutes a risk, than nearly every protocol of this nature has the risk. Users should be aware that the owner is slightly trusted, so I'm going to relabel this as informational / non-critical and let it stand, but I agree with the sponsor that no action needs to be taken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants