attacker can win the game without being last active agent
Summary
In case a user has a lot of agents and can make it that an escape of agents leaves only 1 living agent, the placement is not updated correctly.
Vulnerability Detail
The contract uses the agentIndex to determine the final placement.
This starts to equal the tokenId. Than, whenever an agent dies or escapes, his index is swapped with the last index.
The problem is that, as soon as a round starts with only 1 living agent left, the indexes are not updated anymore.
Therefore, using escape, an attacker can force to go down to only 1 agent, but still get the reward for the first price, as his agent sits in the first position
0xReiAyanami
high
attacker can win the game without being last active agent
Summary
In case a user has a lot of agents and can make it that an escape of agents leaves only 1 living agent, the placement is not updated correctly.
Vulnerability Detail
The contract uses the agentIndex to determine the final placement. This starts to equal the tokenId. Than, whenever an agent dies or escapes, his index is swapped with the last index.
The problem is that, as soon as a round starts with only 1 living agent left, the indexes are not updated anymore.
Therefore, using escape, an attacker can force to go down to only 1 agent, but still get the reward for the first price, as his agent sits in the first position
Impact
Attacker can steal prize pool
Code Snippet
https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L589-L592
Tool used
Manual Review
Recommendation
update the indexes one last time when the final state is reached
Duplicate of #98