Submission Details
Severity:
Can Feed İmaginery Horsies -Solidity Part
Summary
Can Feed İmaginery Horsies
Vulnerability Details
There's no check for horse-ids that are minted by the protocol.Same vulnerability exist in Huff code too.
function testCanFeedNonExisthorseSolidity(uint256 _randomeId) public{
//without minting
//fuzzing random value..
vm.startPrank(user);
horseStore.feedHorse(_randomeId);
vm.stopPrank();
vm.roll(horseStore.HORSE_HAPPY_IF_FED_WITHIN());
vm.warp(horseStore.HORSE_HAPPY_IF_FED_WITHIN());
assertEq(horseStore.isHappyHorse(_randomeId),true);
}
Impact
Can create fake happy(drugged XD) horses and can be checked via horseStore.isHappyHorse() function...
Tools Used
foundry test
Recommendations
Add simple modifier
/*
* @param horseId the id of the horse to feed
* @notice allows anyone to feed anyone else's horse.
*/
function feedHorse(uint256 horseId) external ishorseExist(horseId) {
horseIdToFedTimeStamp[horseId] = block.timestamp;
}
modifier ishorseExist(uint256 _horseId){
ownerOf(_horseId);
_;
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Nonexistent horses can be fed
Rewards breakdown
nSLOC
460This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.