CVE-2020-22647

Vulnerability

The DepositGame smart contract (v1.0) on Ethereum contains a reentrancy vulnerability in the withdraw and GetBonusWithdraw functions. Both functions manipulate the same user balance mapping _balances. Although the withdraw function itself includes a reentrancy guard in some implementations, the GetBonusWithdraw function can modify user balances before the withdrawal is finalized, enabling an attacker to re-enter the withdraw function and drain more funds than entitled. The affected contract is the DepositGame deployed on Ethereum [1].

Exploitation

An attacker first deposits Ether into the contract via the deposit function. Then, they call GetBonusWithdraw, which reduces their balance in _balances. Before the contract state is fully updated, the attacker re-enters the withdraw function through a fallback function or a malicious recipient contract. Because the balance is still being processed, the attacker can withdraw funds multiple times, effectively stealing more Ether than their original deposit [1].

Impact

Successful exploitation allows the attacker to drain all Ether from the DepositGame contract. The attacker gains the ability to steal funds belonging to other users, resulting in total loss of funds held in the contract. This is a classic reentrancy attack leading to financial theft [1].

Mitigation

As of the available reference [1], no official fix or patched version has been released. The vendor has not provided a mitigation update. Users should avoid interacting with the DepositGame contract v1.0 until a fix is applied. Implementing proper reentrancy guards (e.g., using the Checks-Effects-Interactions pattern or a mutex) in both withdraw and GetBonusWithdraw would prevent this vulnerability.