You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One can withdraw the entire PrizePool deposit by circumventing the timelock.
Assume the user has no credits for ease of computation:
user calls withdrawWithTimelockFrom(user, amount=userBalance) with their entire balance. This "mints" an equivalent amount of timelock and resets _unlockTimestamps[user] = timestamp = blockTime + lockDuration.
user calls withdrawWithTimelockFrom(user, amount=0) again but this time withdrawing 0 amount. This will return a lockDuration of 0 and thus unlockTimestamp = blockTime. The inner _mintTimelock now resets _unlockTimestamps[user] = unlockTimestamp
As if (timestamp <= _currentTime()) is true, the full users amount is now transferred out to the user in the _sweepTimelockBalances call.
Impact
Users don't need to wait for their deposit to contribute their fair share to the prize pool.
They can join before the awards and leave right after without a penalty which leads to significant issues for the protocol.
It's the superior strategy but it leads to no investments in the strategy to earn the actual interest.
Recommended Mitigation Steps
The unlock timestamp should be increased by duration each time, instead of being reset to the duration.
The text was updated successfully, but these errors were encountered:
Handle
cmichel
Vulnerability details
One can withdraw the entire
PrizePool
deposit by circumventing the timelock.Assume the user has no credits for ease of computation:
withdrawWithTimelockFrom(user, amount=userBalance)
with their entire balance. This "mints" an equivalentamount
oftimelock
and resets_unlockTimestamps[user] = timestamp = blockTime + lockDuration
.withdrawWithTimelockFrom(user, amount=0)
again but this time withdrawing0
amount. This will return alockDuration
of0
and thusunlockTimestamp = blockTime
. The inner_mintTimelock
now resets_unlockTimestamps[user] = unlockTimestamp
if (timestamp <= _currentTime())
is true, the full users amount is now transferred out to the user in the_sweepTimelockBalances
call.Impact
Users don't need to wait for their deposit to contribute their fair share to the prize pool.
They can join before the awards and leave right after without a penalty which leads to significant issues for the protocol.
It's the superior strategy but it leads to no investments in the strategy to earn the actual interest.
Recommended Mitigation Steps
The unlock timestamp should be increased by duration each time, instead of being reset to the duration.
The text was updated successfully, but these errors were encountered: