Overwriting Existing Pools in setPool Function
Summary
The smart contract function setPool has several issues related to pool creation and event emission. It fails to create a new pool properly and emits the wrong event when the pool doesn't exist.
Vulnerability Details
Pool Creation: The setPool function does not create a new pool correctly when the specified poolId does not exist. Instead of creating a new entry in the pools mapping, it directly assigns the input p to pools[poolId]. As a result, it overwrites any existing pool with the same poolId.
Incorrect Event Emission: The function emits the PoolCreated event regardless of whether the pool exists or not. When the pool already exists, it should emit the PoolUpdated event instead. This incorrect event emission could lead to confusion and incorrect interpretation of pool management events.
Impact
These vulnerabilities could lead to various issues in the pool management system, including:
Overwriting existing pools, leading to loss of pool data and funds.
Incorrect event emission, causing confusion and difficulties in tracking pool updates.
Inadequate address validation, potentially allowing pools with invalid or 0 addresses, leading to unexpected behaviors in the protocol.
Tools Used
Manual Review
Recommendations
Implement proper pool creation logic to ensure new pools are added to the pools mapping instead of overwriting existing ones.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.