First Flight #7: Horse Store

First Flight #7

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unchecked horse existence in `feedHorse` function

0xtheblackpanther

Summary

The feedHorse function in the HorseStore contract allows updating the horseIdToFedTimeStamp[horseId] for a given horseId without verifying whether the horse with that horseId has been minted. This oversight can lead to a violation of the specified invariant and inaccurate happiness checks in the isHappyHorse function.

Vulnerability Details

The issue arises in the feedHorse function, where the horseId is not checked for existence (minting) before updating the associated horseIdToFedTimeStamp[horseId]. This oversight can result in misleading information, wasted gas, and a violation of the invariant.

Impact

Breaking Invariant:
- This break the invariant because how can horse be happy if it is not present?
Misleading Information:
- Feeding non-existent horses can result in inaccurate information about the state of horses, as horseIdToFedTimeStamp[horseId] may be updated for non-existent horses.
Inconsistent State:
- The contract may end up in an inconsistent state with certain horseId values having associated timestamps but no corresponding horses.

POC

Copy the below test code
Run it via this cmd forge test --match-test testStableMasterIsFeedingToGhostsInsteadOfHorses

Test code:

function testStableMasterIsFeedingToGhostsInsteadOfHorses() public {

uint256 horseId = horseStore.totalSupply();

vm.warp(horseStore.HORSE_HAPPY_IF_FED_WITHIN());

vm.roll(horseStore.HORSE_HAPPY_IF_FED_WITHIN());

vm.prank(user);

horseStore.feedHorse(horseId);

assertEq(horseStore.isHappyHorse(horseId), true);

}

It will result in this:

Running 1 test for test/HorseStoreSolidity.t.sol:HorseStoreSolidity

[PASS] testStableMasterIsFeedingToGhostsInsteadOfHorses() (gas: 38966)

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 10.02ms

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Manual review.

Recommendations

Check Horse Existence:

Add a check in the feedHorse function to ensure that the provided horseId corresponds to a valid horse (exists) before updating the mapping.

e.g you can add a check like this to avoid this issue:

// Check if the horse with the given horseId exists before updating the timestamp

require(exists(horseId), "Horse does not exist");

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Nonexistent horses can be fed

0xtheblackpanther Submitter

almost 2 years ago

inallhonesty Lead Judge

almost 2 years ago

0xtheblackpanther Submitter

almost 2 years ago

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Nonexistent horses can be fed

Rewards breakdown

nSLOC

460

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.