Description
This attack exploits the vulnerabilities “exception disorder” and “stack size limit”, and is performed by the contract owner. His goal is not to pay the winner, so that the ether is kept by the contract, and redeemable by the owner at a later time. To fulfil this goal, the owner has to make the send at line 24 fail. His first step is to publish the following contract:
Then, the owner calls Mallory’s attack, which starts invoking herself recursively, making the stack grow. When the call stack reaches the depth of 1022, Mallory invokes Governmental’s resetInvestment, which is then executed at stack size 1023. At this point, the send at line 24 fails, because of the call stack limit (the second send fails as well). Since GovernMental does not check the return code of send, the execution proceeds, resetting the contract state (lines 27-29), and starting another round. The balance of the contract increases every time this attack is run, because the legit winner is not paid. To collect the ether, the owner only needs to wait for another round to terminate correctly.
Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:R/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:H