Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PrizePool.beforeTokenTransfer() incorrectly uses msg.sender in seven places instead of _msgSender() #23

Open
code423n4 opened this issue Jun 23, 2021 · 2 comments

Comments

@code423n4
Copy link
Contributor

Handle

jvaqa

Vulnerability details

Impact

PrizePool.beforeTokenTransfer() incorrectly uses msg.sender in seven places instead of _msgSender(). [1]

Nearly all of PrizePool.sol opts to use _msgSender() to provide for more optionality.

It appears that PrizePool.beforeTokenTransfer() may have been copy/pasted into PrizePool.sol without adjusting msg.sender to use _msgSender().

Recommended Mitigation Steps

Replace the seven instances of msg.sender in PrizePool.beforeTokenTransfer() with _msgSender()

[1] https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/PrizePool.sol#L418

@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Jun 23, 2021
code423n4 added a commit that referenced this issue Jun 23, 2021
@asselstine
Copy link
Collaborator

Severity is 0 (non-critical)

@dmvt
Copy link
Collaborator

dmvt commented Aug 23, 2021

Agree with sponsor on severity. Warden has not shown how this could cause problems as currently written. It should be fixed for consistency and style sake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants