In depositETHIntoMultipleRounds, cutoff time is set even if nothing is deposited
Summary
In depositETHIntoMultipleRounds, cutoff time is set even if nothing is deposited
Vulnerability Detail
In depositETHIntoMultipleRounds, _setCutoffTimeIfNotSet(startingRound) is called even if amounts[0] = 0 (which is possible because only msg.value = 0 is checked).
This means that, even without a deposit, the timer on the round will start. This against the design spec, which states:
The cutoff time of each round is only set on the first deposit or when there are already deposits in the round and it's being transitioned to Open.
Impact
Cutoff time will be set without deposit being made
s1ce
medium
In
depositETHIntoMultipleRounds, cutoff time is set even if nothing is depositedSummary
In
depositETHIntoMultipleRounds, cutoff time is set even if nothing is depositedVulnerability Detail
In
depositETHIntoMultipleRounds,_setCutoffTimeIfNotSet(startingRound)is called even if amounts[0] = 0 (which is possible because onlymsg.value = 0is checked).This means that, even without a deposit, the timer on the round will start. This against the design spec, which states:
The cutoff time of each round is only set on the first deposit or when there are already deposits in the round and it's being transitioned to Open.Impact
Cutoff time will be set without deposit being made
Code Snippet
https://github.com/sherlock-audit/2024-01-looksrare/blob/main/contracts-yolo/contracts/YoloV2.sol#L322
Tool used
Manual Review
Recommendation
Don't set cutoff time unless amounts[0] != 0
Duplicate of #18