Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Yeet>Medium findings>Incorrect calculation of the minimum amount for Yeet
GeneralOverview
Findings
Medium (4)NFT boosting can be applied multiple times with one NFTIncorrect calculation of the minimum amount for YeetUnoptimized getClaimableAmount functionBias of the draftWinners function in the Yeetback contract
Low (1)
Informational (1)
Threat ModelWhat are threat models?Reward.solYeet.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect calculation of the minimum amount for Yeet

Medium Severity
Medium Impact
High Likelihood

Description

The _minimumYeetPoint function claculates the minimum amount of BERA necessary for a Yeet to be successful. The function is called in the yeet function to ensure that the amount of BERA sent is greater than or equal to the minimum amount. Each Yeet adds an entry for the Yeetback raffle. The use of MINIMUM_YEET_POINT ensures that a substantial amount of BERA is sent for an entry to be added.

function _minimumYeetPoint(uint256 totalPot) private view returns (uint256) {
    if (totalPot == 0) {
        return MINIMUM_YEET_POINT;
    }

    if(isBoostrapPhase()) {
       return MINIMUM_YEET_POINT;
    }

    return totalPot / POT_DIVISION;
}

However, despite the name of the variable MINIMUM_YEET_POINT, the minimum amount for a Yeet can be less than this variable.

If BOOSTRAP_PHASE_DURATION is set to zero, which is the default configuration, the initial amount of BERA sent should be MINIMUM_YEET_POINT. All the following Yeets should be at least MINIMUM_YEET_POINT / POT_DIVISION. However, if an attacker sends BERA to the fallback or receive function, the attacker can add 1 WEI to totalPot.

/// @notice Add a fallback function to accept BERA
fallback() external payable {
    //Sucks to be you ;)
    potToWinner += msg.value;
    emit Yeetard(msg.sender, block.timestamp, potToWinner, _minimumYeetPoint(potToWinner), roundNumber);
}

/// @notice Add a receive function to accept BERA
receive() external payable {
    //Sucks to be you ;)
    potToWinner += msg.value;
    emit Yeetard(msg.sender, block.timestamp, potToWinner, _minimumYeetPoint(potToWinner), roundNumber);
}

This causes the following Yeets to require considerably less BERA than MINIMUM_YEET_POINT / POT_DIVISION. Following users only have to pay 1 WEI to add a Yeet (because the addYeetVolume requires the value to be nonzero).

Impact

An attacker can obtain a number of entries in the Yeetback raffle using a small amount of BERA.

Recommendations

In the _minimumYeetPoint function, ensure the minimum amount for a Yeet is greater than or equal to the MINIMUM_YEET_POINT variable.

Remediation

This issue has been acknowledged by Sanguine Labs LTD, and a fix was implemented in commit 3944c308.

Zellic © 2024Back to top ↑