user can deposit into the future rounds and fix the wrong price for the ERC20 and ERC721 tokens
Summary
function deposit() allows users to deposit ERC20 and ERc721 tokens into any round they want. in the first token deposit code sets the ERC20 and ERC721 token price for that round. the issue is that attacker can deposit ERC20 and ERC721 into far feature rounds and fix very wrong price for those tokens. as result when contract reach those rounds the fixed prices will be very different than real token prices and it would create arbitrage opportunities and other ERC721 or ERC20 tokens may receive unfair risk/reward ratio.
Vulnerability Detail
function deposit() allows users to deposit ERC20 and ERc721 tokens into any round they want. in the first token deposit code sets the ERC20 and ERC721 token price for that round. this behavior is okey for current and near future rounds as the price won't change dramatically in short time but an attacker can fix the price for the far future rounds and for sure those price of tokens is gonna change until the contract reaches those rounds. this will have different impact:
if price of ERC20 or ERC721 increase until reaching those rounds then no one would deposit ERC20 and ERC721 token into those rounds and attacker will be able to DOS those rounds.
if price of ERC20 or ERC721 decrease until reaching those rounds then everyone will deposit ERC20 and ERC721 tokens into the rounds and ETH depositors would receive unfair reward/risk ratio.
this is POC:
suppose ERC20 TOKEN1 price is having a pump and TOKEN1 is whitelisted.
attacker can call deposit() for far future rounds that have ETH deposits and deposit TOKEN1 into them and fix a very high price for TOKEN1 in those rounds.
after some time price of the TOKEN1 will get back to its normal levels.
now attacker would convert his ETH into TOKEN1 and deposit his TOKEN1 into the future rounds that have wrong fix price. attacker would receive more entry point that his tokens value as the round fixed price is wrong.
as result attacker was able to deposit TOKEN1 with very high price to those rounds and receive huge amount of entry points and have more chance to win over ETH depositors.
Impact
attacker can steal ETH depositors or DOS the future rounds.
unforgiven
high
user can deposit into the future rounds and fix the wrong price for the ERC20 and ERC721 tokens
Summary
function
deposit()allows users to deposit ERC20 and ERc721 tokens into any round they want. in the first token deposit code sets the ERC20 and ERC721 token price for that round. the issue is that attacker can deposit ERC20 and ERC721 into far feature rounds and fix very wrong price for those tokens. as result when contract reach those rounds the fixed prices will be very different than real token prices and it would create arbitrage opportunities and other ERC721 or ERC20 tokens may receive unfair risk/reward ratio.Vulnerability Detail
function
deposit()allows users to deposit ERC20 and ERc721 tokens into any round they want. in the first token deposit code sets the ERC20 and ERC721 token price for that round. this behavior is okey for current and near future rounds as the price won't change dramatically in short time but an attacker can fix the price for the far future rounds and for sure those price of tokens is gonna change until the contract reaches those rounds. this will have different impact:this is POC:
deposit()for far future rounds that have ETH deposits and deposit TOKEN1 into them and fix a very high price for TOKEN1 in those rounds.Impact
attacker can steal ETH depositors or DOS the future rounds.
Code Snippet
https://github.com/sherlock-audit/2024-01-looksrare/blob/7d76b96a58a6aee38f23bb38b8a5daa3bdc03f7c/contracts-yolo/contracts/YoloV2.sol#L1032-L1120
Tool used
Manual Review
Recommendation
don't allow deposits for far future.
Duplicate of #44