Was this helpful?
Submitted on Mar 17th 2025 at 11:36:14 UTC by @BenR for
Report ID: #41660
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeetback.sol
Impacts:
Permanent freezing of funds
To determine the 10 winners of the yeetback, the Yeetback contract calls the Entropy service to get a randome number. For this call to the Entropy service the address of an entropyProvider is given by the Yeetback contract. If the provided entropyProvider is blacklisted or stops providing random numbers the whole Yeet protocol will be DOSED because both the entropyProvider state variable in the Yeetback contract and the yeetback state variable in the Yeetcontract cannot be changed.
After a yet round is over, a new round is restarted by calling Yeet::restart(). This function calls the addYeetback() function of the contract stored in the state variable yeetback.
This in turn calls entropy.requestWithCallback to acquire a random number which is used to determine the winners of the yeetbacks.
The function call to entropy.requestWithCallback() take the address of an entropy provider as an argument which is stored in the state variable entropyProvider. Once this variable is set in the constructor it cannot be changed.
The issue arises from the fact that the call to entropy.requestWithCallback() can revert if the provided entropyProvider does not exist or does not have any randomness left. This can happen if the entropyProvider is blacklisted (https://docs.pyth.network/entropy/protocol-design) or all provided random numbers are already used up since the provider only provides a limited amount of random numbers. (requestWithCallback() => requestHelper() https://github.com/pyth-network/pyth-crosschain/blob/c905fbe1a8bc1d78bcae483e9bca6009db6d9be1/target_chains/ethereum/contracts/contracts/entropy/Entropy.sol#L202C4-L251C6)
Because neither the entropyProvider state variable in the Yeetback contract nor the yeetback state variable in the Yeetcontract can be changed, if the entropyProvider runs out of randomness, the Yeet protocol will not be able to start a new round and distribute the winnings from the last round until the entropyProvider supplies new random numbers. In case the entropyProvider get blacklisted or decides to quit being a provider, the Yeet protocol will be DOSed permanently.
Add a function to Yeetback which allows the owner to change the entropyProvider state variable.
Also consider adding a function to the Yeet contract which allows the owner to change the yeetback state variable.
https://github.com/pyth-network/pyth-crosschain/blob/c905fbe1a8bc1d78bcae483e9bca6009db6d9be1/target_chains/ethereum/contracts/contracts/entropy/Entropy.sol#L202C4-L251C6
https://docs.pyth.network/entropy/protocol-design
Scenario 1:
Yeetback is deployed and entropyProvider is set to the address of the initalEntroyProvider
The initalEntroyProvider supplies 100 random numbers on chain which are all used up by calls from users of the Entropy protocol
One yeet round of the Yeet protocol is over and restart() is called
since all random numbers of the entropyProvider are used up, the call to restart() reverts and the Yeet protocol can not start a new round and distribute the winnings from the last round until the provider supplies new random numbers
Scenario 2:
Yeetback is deployed and entropyProvider is set to the address of the initalEntroyProvider
The initalEntroyProvider is blacklisted and removed from the Entropy protocol
one yeet round of the Yeet protocol is over and restart() is called
call reverts because the provider is no longer available and the yeet protocol is permanently DOSed and cannot start a new round and distribute the winnings from the last round
