Merkle Proof Bypass in `PriorityPool.sol` Withdrawal Mechanism
Summary
In the PriorityPool.sol contract, users can bypass the requirement of providing a valid Merkle proof to withdraw queued tokens. This bypass is possible when their account index is greater than the size of the Merkle tree, allowing unauthorized withdrawals.
Vulnerability Details
In the withdraw function of PriorityPool.sol, the contract verifies the Merkle proof to ensure that the caller is entitled to withdraw tokens from the pool. However, the check that reverts based on the accountIndexes[account] < merkleTreeSize condition allows users with account indexes greater than the Merkle tree size to bypass the Merkle proof verification entirely.
This issue arises from the following code section:
If the accountIndexes[account] value exceeds the merkleTreeSize, the user is not required to provide a valid Merkle proof, allowing them to bypass the restriction and withdraw tokens without proper authorization.
Impact
This vulnerability allows unauthorized users to withdraw tokens from the contract without passing the required Merkle proof verification, potentially leading to a loss of funds in the pool and undermining the security and integrity of the withdrawal process.
Tools Used
Manual review.
Recommendations
To mitigate this vulnerability, ensure that all users, regardless of their account index, are required to provide a valid Merkle proof for withdrawals. Modify the logic to remove the account index check or adjust it so that it properly restricts withdrawals without bypassing the Merkle proof verification.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.