First Flight #7: Horse Store

First Flight #7

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Absence of Horse Existence Check in `FEED_HORSE` Macro Allows Feeding Without Minting a Horse

0xtheblackpanther

Summary

In HorseStore.huff in the FEED_HORSE macro, there is an issue revolves around the absence of a check for the existence of a horse before allowing it to be fed.

Vulnerability Details

The FEED_HORSE macro does not include a check to verify the existence of the horse with the given horseId. This omission allows feeding a horse without ensuring that it has been minted previously.

Code Snippet

#define macro FEED_HORSE() = takes (0) returns (0) {

// Existing logic...

// End execution

0x11 timestamp mod

endFeed jumpi

revert

endFeed:

stop

}

Impact

It allows feeding a horse without ensuring its prior minting. This could lead to inconsistencies in the contract state and potential unexpected behavior. Basically, this break the invariant because how can horse be happy if it is not present?

POC

Copy the below code
Run it via forge test --match-test testStableMasterIsFeedingToGhostsInsteadOfHorsesInHuff

function testStableMasterIsFeedingToGhostsInsteadOfHorsesInHuff() public {

uint256 horseId = horseStore.totalSupply();

vm.warp(horseStore.HORSE_HAPPY_IF_FED_WITHIN());

vm.roll(horseStore.HORSE_HAPPY_IF_FED_WITHIN());

vm.prank(user);

horseStore.feedHorse(horseId);

assertEq(horseStore.isHappyHorse(horseId), true);

}

Results:

Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff

[PASS] testStableMasterIsFeedingToGhostsInsteadOfHorsesInHuff() (gas: 37993)

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.79s

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Manual review.

Recommendation

Include a check to verify the existence of the horse with the given horseId before proceeding with the feeding logic. This will prevent feeding a horse that has not been minted.

New code should be something like this:

#define macro FEED_HORSE() = takes (0) returns (0) {

// Load horseId from calldata

0x04 calldataload // [horseId]

// Check if the horse with the given horseId exists

[OWNER_LOCATION] LOAD_ELEMENT_FROM_KEYS(0x00) // [owner, horseId]

invalid_horse jumpi // [horseId]

// Continue with feeding logic

timestamp // [timestamp]

STORE_ELEMENT(0x00) // []

// End execution

0x11 timestamp mod

endFeed jumpi

revert

endFeed:

stop

invalid_horse:

INVALID_HORSE(0x00)

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Nonexistent horses can be fed

0xtheblackpanther Submitter

over 1 year ago

inallhonesty Lead Judge

over 1 year ago

0xtheblackpanther Submitter

over 1 year ago

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Nonexistent horses can be fed

Rewards breakdown

nSLOC

460

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.