The ProportionalToXPReward system lacks validation on totalXP values during reward calculations, causing permanent prize pool lockup. The reward formulas reward = userXP * prizePool / totalXP and rewards[i] = xps[i] * prizePool / totalXP fail when totalXP is zero (division by zero revert) or extremely large (mathematical underflow resulting in zero rewards).
An attacker can exploit this by submitting manipulated XP values during result finalization, permanently locking the entire prize pool and making it impossible for winners to claim rewards.
This critical vulnerability affects essential functions like claimRewards(). For example, a $100,000 gaming session would have all funds permanently stuck in the contract with no recovery mechanism.
Code Snippet:
reward = userXP * prizePool / totalXP;
rewards[i] = xps[i] * prizePool / totalXP;
Gaming session is created using ProportionalToXPReward strategy
Players participate normally in the session
During result submission, the asserter manipulates XP values:
Attack: Sets all XP values to 0 (totalXP = 0) or to extremely large numbers like 2^255
UMA oracle finalizes these values and undisputed
When users attempt to claim through claimRewards, transactions either revert or return zero rewards
Result: All prize money becomes permanently inaccessible
Coded POC Attached