Code4renaCODE423N4:2023-08-POOLTOGETHER-FINDINGS-ISSUES-107A malicious deployer can set auctionTargetTime close to auctionDuration to make it hard or impossible for anyone to win a reward.
Lines of code
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L145-L146>
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L398-L406>
Vulnerability details
Impact
A malicious deployer could set auctionTargetTime very close to auctionDuration, making it hard/impossible for anyone to win a reward leading to losses
Proof of Concept
In the constructor, auctionTargetTime is not validated to be less than auctionDuration: <https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L152-L153>
<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L145-L146>
The reward amount depends on the elapsed time and the target time:<https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L398-L406>
If auctionTargetTime is set very close to auctionDuration, then the window to call startRngRequest and get a decent reward fraction will be very small.
For example, if auctionDuration is 3600 seconds (1 hour) and auctionTargetTime is set to 3590 seconds (59 minutes 50 seconds), there is only a 10 second window at the end of the auction to call startRngRequest and get a high reward.
A malicious deployer could set auctionTargetTime = auctionDuration - 1 to make the window 1 second.
Tools Used
Manual
Recommended Mitigation Steps
Validate auctionTargetTime and add a minimum window between target and duration
Assessed type
Other
The text was updated successfully, but these errors were encountered:
All reactions