Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

withdraw timelock can be circumvented #91

Open
code423n4 opened this issue Jun 23, 2021 · 1 comment
Open

withdraw timelock can be circumvented #91

code423n4 opened this issue Jun 23, 2021 · 1 comment
Assignees
Labels

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

One can withdraw the entire PrizePool deposit by circumventing the timelock.
Assume the user has no credits for ease of computation:

  • user calls withdrawWithTimelockFrom(user, amount=userBalance) with their entire balance. This "mints" an equivalent amount of timelock and resets _unlockTimestamps[user] = timestamp = blockTime + lockDuration.
  • user calls withdrawWithTimelockFrom(user, amount=0) again but this time withdrawing 0 amount. This will return a lockDuration of 0 and thus unlockTimestamp = blockTime. The inner _mintTimelock now resets _unlockTimestamps[user] = unlockTimestamp
  • As if (timestamp <= _currentTime()) is true, the full users amount is now transferred out to the user in the _sweepTimelockBalances call.

Impact

Users don't need to wait for their deposit to contribute their fair share to the prize pool.
They can join before the awards and leave right after without a penalty which leads to significant issues for the protocol.
It's the superior strategy but it leads to no investments in the strategy to earn the actual interest.

Recommended Mitigation Steps

The unlock timestamp should be increased by duration each time, instead of being reset to the duration.

@code423n4 code423n4 added 3 (High Risk) bug Something isn't working labels Jun 23, 2021
code423n4 added a commit that referenced this issue Jun 23, 2021
@asselstine
Copy link
Collaborator

Mitigation:

If a user's timelock balance is non-zero, the prize strategy rejects the ticket burn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants