depositETHIntoMultipleRounds() allows for empty deposit within round
Summary
The depositETHIntoMultipleRounds() function is meant to deposit Ether within multiple rounds, however it fails to properly validate each Ether amount specified for each round. Thus, it allows malicious player to add empty deposits to rounds at choice. Empty deposit itself does not give a chance to win a round for such player. However, firstly by exploiting this vulnerability the player can select rounds willing to play with and which might be most beneficial for him/her without bearing additional costs. Secondly, empty deposit decreases the overall award prize for the winner along with the fee accrued for the solution's owner as the number of deposits is limited.
Vulnerability Detail
Firstly, the depositETHIntoMultipleRounds() function validates whether any Ether is provided within the call. Thus, player must provide at least an amount equal to roundValuePerEntry .
Then, the function checks whether the amount provided for particular round is a multiple of roundValuePerEntry by means of modulo operation. However, for empty depositAmount the modulo operation returns 0, so it bypasses the assertion.
Such deposit with empty amount is considered valid and accepted by the algorithm.
Proof of Concept
Below PoC presents scenario, where legitimate player deposits 1 Ether in first round and 10 Ether in second round. Then malicious player perform multiple deposits for first and second rounds, but first round has 0 amount set, as second round appears to be potentially more beneficial. Whenever the first round ends, the legitimate player is selected as winner. However, in this case winner receives back only 0.97 Ether, where 0.03 of Ether is consumed by fees.
Malicious player can abuse this function to make Ether deposits in future rounds without the need of playing in previous rounds whenever it will be considered beneficial for him/her.
Legitimate players can win decreased overall prize award within the round due to empty deposits.
Solution's owner can not receive minimum possible fee for such round, as empty deposit does not accrue fee.
cocacola
high
depositETHIntoMultipleRounds() allows for empty deposit within round
Summary
The
depositETHIntoMultipleRounds()
function is meant to deposit Ether within multiple rounds, however it fails to properly validate each Ether amount specified for each round. Thus, it allows malicious player to add empty deposits to rounds at choice. Empty deposit itself does not give a chance to win a round for such player. However, firstly by exploiting this vulnerability the player can select rounds willing to play with and which might be most beneficial for him/her without bearing additional costs. Secondly, empty deposit decreases the overall award prize for the winner along with the fee accrued for the solution's owner as the number of deposits is limited.Vulnerability Detail
Firstly, the
depositETHIntoMultipleRounds()
function validates whether any Ether is provided within the call. Thus, player must provide at least an amount equal toroundValuePerEntry
.acts/YoloV2.sol#L314
Then, the function checks whether the amount provided for particular round is a multiple of
roundValuePerEntry
by means of modulo operation. However, for emptydepositAmount
the modulo operation returns 0, so it bypasses the assertion.acts/YoloV2.sol#L338
Such deposit with empty amount is considered valid and accepted by the algorithm.
Proof of Concept
Below PoC presents scenario, where legitimate player deposits 1 Ether in first round and 10 Ether in second round. Then malicious player perform multiple deposits for first and second rounds, but first round has 0 amount set, as second round appears to be potentially more beneficial. Whenever the first round ends, the legitimate player is selected as winner. However, in this case winner receives back only 0.97 Ether, where 0.03 of Ether is consumed by fees.
Impact
Code Snippet
acts/YoloV2.sol#L338
Tool used
Manual Review, Foundry.
Recommendation
It is recommended to verify whether each
depositAmount
is a value larger than 0, to enforce player to play fairly in each round.Duplicate of #18