Summary

There is no verification of msg.value in the trickOrTreat function, allowing users to send any amount of Ether, including zero, when calling this function.

Vulnerability Details

A critical vulnerability exists in the trickOrTreat function that allows users to exploit the system for significant financial gain. There are two possible scenarious how missing check can be exploited.

Number 1

Here's how this exploit could work:

1. A malicious user can repeatedly call the trickOrTreat function, paying only for gas fees but sending zero Ether. This allows them to accumulate multiple trick attempts at minimal cost.

2. Eventually, one of these attempts will trigger the trick event, enabling the user to call the resolveTrick function and obtain an NFT.

3. Some might argue that this isn't profitable because the NFT would be purchased at double the price. However, this overlooks a sophisticated strategy that exploits market dynamics:

• Initially, the NFT might be priced at 2 Ether.

• Over time, as often happens in the NFT market, the value could increase dramatically, potentially reaching 20 Ether.

• The malicious user then takes advantage of this price discrepancy: he/she rebuys the rarest and most expensive NFT from the contract for 4 Ether (double the original price).

• By doing so, they realize a profit of 16 Ether per NFT (20 Ether current value minus 4 Ether purchase price).

Number 2

Here's how this exploit could work:

1. A malicious user can repeatedly call the trickOrTreat function, sending only half of the NFT's price while waiting for the treat event to be triggered.

2. If the treat event occurs, the user successfully acquires the desired NFT at half price, realizing an immediate 50% discount on the purchase.

3. If the trick or treat event is not triggered, instead the function reverts, returning the user's Ether. In this case, the malicious actor only loses the gas fees associated with the transaction.

4. Given these favorable odds, there's little disincentive for users to repeatedly attempt this strategy. Certainly there is a chance that user will get trick event but why not try to secure a 50% discount?

Impact

Missing msg.value check creates several potential vulnerabilities that could be exploited by malicious users. For instance, it may enable someone to purchase an NFT at half price or even obtain one for zero Ether.

Tools Used

Manual code analysis.

Recommendations

To mitigate this issue, it would be advisable to add a check in the trickOrTreat function to ensure that msg.value meets certain criteria, such as being equal to or greater than a predetermined price for the NFT. This would prevent users from exploiting the lack of validation to obtain NFTs at reduced or zero cost.