[M-04] Attacker can spam function deposit() to always increase price in AuctionV1Base
Severity
Impact: Medium
Likelihood: Medium
Description
In AuctionV1Base, there are multiple rounds with fluctuating prices, depending on user demand. User demand is tracked by the prevRoundDeposits variable, which increases each time a user makes a deposit.
function deposit(uint256 amount) public payable {
...
if(deposits[_msgSender()] == 0) {
participants.push(_msgSender());
}
deposits[_msgSender()] += amount;
// @audit Attacker can spam to fake demand and always increase price
prevRoundDeposits += 1;
}
However, the deposit() function can be called to deposit as little as 1 wei, yet the prevRoundDeposits still increases. An attacker could exploit this by repeatedly calling deposit(), creating the illusion of high demand and driving prices up. Even without buying a ticket, they could force others to pay more.
Recommendations
Consider adjusting the code to only increase prevRoundDeposits when users deposit an amount equal to or greater than the current ticket price.
[M-04] Attacker can spam function
deposit()
to always increase price inAuctionV1Base
Severity
Impact: Medium
Likelihood: Medium
Description
In
AuctionV1Base
, there are multiple rounds with fluctuating prices, depending on user demand. User demand is tracked by theprevRoundDeposits
variable, which increases each time a user makes a deposit.However, the
deposit()
function can be called to deposit as little as 1 wei, yet theprevRoundDeposits
still increases. An attacker could exploit this by repeatedly callingdeposit()
, creating the illusion of high demand and driving prices up. Even without buying a ticket, they could force others to pay more.Recommendations
Consider adjusting the code to only increase
prevRoundDeposits
when users deposit an amount equal to or greater than the current ticket price.