unfair opportunities because price of assets is fixed for a round while the price changes during a round
Summary
when users deposits ERC20 or ERC721 into a round, code fixes a price for that round and use that price for all the deposits. the issue is that the price of those tokens can change during a round and so different depositors will put different values into the system while receiving same amount of entry points.
for example if ERC20 price is set for a round and after that the ERC20 price drops then thew new users can deposit ERC20 token into that round with higher price and receive points based on out dated price.
Vulnerability Detail
in function _deposits() code uses the fixed price for each round when deposits happens. this create an issue when the price of tokens changes, the result is that different users put different value into a round but receive same amount of entry point. one can use this to get favorable risk/reward ratio. this is the POC:
value per entry is 1 ETH and users receive 1 entry for 1ETH deposit.
the price of NFT1 is 100 ETH and USER1 deposits 1 into round ID1 and receive 100 entry points. code would set price of NFT1 as 100 ETH for round ID1.
USER2 deposits 100 ETH into the round ID1 and receive 100 entry point too.
after some time the price of NFT1 drops to 10ETH, now USER3 would see an opportunity to deposit NFT1 into round ID1 and use this wrong fixed price for his advantages.
USER3 have 10 ETH and if he deposits his 10ETH into the round ID1 would receive 10 entry points. but instead USER3 would buy 1 NFT1 token with price 10ETH and deposit that into the round and receive 100 entry points.
as result USER3 would risked 10 ETH while USER2 risked 100ETH but they both received 100 entry points and have the same winning chance to win 300 ETH.
if price of the token goes higher the round will be move favorable for ETH depositors.
Impact
users would get different risk/reward ratio and attacker can use this wrong fixed price to perform arbitrage and win over the already deposited ETH or tokens.
unforgiven
medium
unfair opportunities because price of assets is fixed for a round while the price changes during a round
Summary
when users deposits ERC20 or ERC721 into a round, code fixes a price for that round and use that price for all the deposits. the issue is that the price of those tokens can change during a round and so different depositors will put different values into the system while receiving same amount of entry points. for example if ERC20 price is set for a round and after that the ERC20 price drops then thew new users can deposit ERC20 token into that round with higher price and receive points based on out dated price.
Vulnerability Detail
in function
_deposits()code uses the fixed price for each round when deposits happens. this create an issue when the price of tokens changes, the result is that different users put different value into a round but receive same amount of entry point. one can use this to get favorable risk/reward ratio. this is the POC:if price of the token goes higher the round will be move favorable for ETH depositors.
Impact
users would get different risk/reward ratio and attacker can use this wrong fixed price to perform arbitrage and win over the already deposited ETH or tokens.
Code Snippet
https://github.com/sherlock-audit/2024-01-looksrare/blob/7d76b96a58a6aee38f23bb38b8a5daa3bdc03f7c/contracts-yolo/contracts/YoloV2.sol#L1095-L1106 https://github.com/sherlock-audit/2024-01-looksrare/blob/7d76b96a58a6aee38f23bb38b8a5daa3bdc03f7c/contracts-yolo/contracts/YoloV2.sol#L1161-L1179
Tool used
Manual Review
Recommendation
code shouldn't fix the price for a round and always use the updated price. or code should execute rounds separately for each token.
Duplicate of #44