Submission Details
Severity:
Can feed horse that was not minted
Summary
Can feed horse that was not minted
Vulnerability Details
feedHorse function of HorseStore.sol take as a parameter an unsigned integer 256, but do not verify if the integer given as parameter is lower than totalSupply. Which means that the horse corresponding to this tokenId was not minted if the integer given is greater or equal to totalSupply.
Impact
No consistency between horseIdToFedTimeStamp mapping and tokenIds.
Tools Used
Foundry
Recommendations
add check if horseId is lower to totalSupply.
POC
pragma solidity 0.8.20;
import {HorseStore} from "../src/HorseStore.sol";
import {Test, console2} from "forge-std/Test.sol";
contract Vulnerability is Test {
HorseStore horseStore;
function setUp() public virtual {
vm.warp(vm.unixTime()/1000);
horseStore = new HorseStore();
}
function test_feedANotMintedHorse() public {
uint256 totalSupply = horseStore.totalSupply();
assertEq(totalSupply, 0);
// So horseStore has zero horse minted.
horseStore.feedHorse(1000);
// we feed horse with tokenId 1, even if he never have been minted.
uint256 time = horseStore.horseIdToFedTimeStamp(1000);
assertEq(time, block.timestamp);
bool isHappy = horseStore.isHappyHorse(1000);
assertEq(isHappy, true);
// we even make this not minted horse happy!
}
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Nonexistent horses can be fed
Rewards breakdown
nSLOC
460This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.