Skip to content

Latest commit

 

History

History
53 lines (43 loc) · 2.66 KB

046.md

File metadata and controls

53 lines (43 loc) · 2.66 KB

Ambitious Cotton Hyena

Medium

Users can participate in Markets without buying votes

Summary

There is no prevention for the less number of votes to buy, allows user to participate in the market without paying any funds.

Description

Users can provide 0 amount of votes/disVotes to buy, this will allow users to participate in the Market of that profile without buying any votes/disVotes.

ReputationMarket.sol#L440-L456

  function buyVotes(
    uint256 profileId,
    bool isPositive,
    uint256 maxVotesToBuy,
    uint256 minVotesToBuy
  ) public payable whenNotPaused activeMarket(profileId) nonReentrant {
    _checkMarketExists(profileId);
    // preliminary check to ensure this is enough money to buy the minimum requested votes.
    (, , , uint256 total) = _calculateBuy(markets[profileId], isPositive, minVotesToBuy);
    if (total > msg.value) revert InsufficientFunds();

    (
      uint256 purchaseCostBeforeFees,
      uint256 protocolFee,
      uint256 donation,
      uint256 totalCostIncludingFees
    ) = _calculateBuy(markets[profileId], isPositive, maxVotesToBuy);
    uint256 currentVotesToBuy = maxVotesToBuy;
    ...
    // Add buyer to participants if not already a participant
    if (!isParticipant[profileId][msg.sender]) {
>>    participants[profileId].push(msg.sender);
      isParticipant[profileId][msg.sender] = true;
    }
    ...
  }

There is no check if mind/maxVotesToBuy are zero or not. In case they are provided as zero all funds to be paid by the user will be zero, which will allow users to participate in a given Profile market without sending any eth or even buying any vote/disVote.

Impacts

  • Participate in different profile markets without sending any money
  • Make a sybil attack by participating in the same profile market with different addresses, making participants array for that profile market too huge. This can affect protocol integrats with ReputationMarket as viewing the full array can cause OOG this time. and Ethos is a complete system working together and there are some parts like GRADUATION_WITHDRAWAL
  • In the last of the buying we fire _emitMarketUpdate, which updates lastMarketUpdates by the block.number, and the current market state. Having block.number equals the current block, will make the update time updates continuously even when no votes/disVotes changing occuar.

This will affect the protocol data where participants can contain users that do not even buy any vote from that market anytime.

Recommendations

Make buyVotes() forces at least on vote/disVote to buy.