First Flight #7: Horse Store

First Flight #7

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Arithmetic error breaks functionality of `isHappyHorse` within the first 24h after feeding (initializing)

bigBagBoogy

Summary

Arithmetic error breaks functionality of isHappyHorse within the first 24h after feeding (initializing)

Vulnerability Details

In Solidity, block.timestamp is a uint256. If a horse is checked to be happy within the first 24 hours of having been minted, the calculation block.timestamp - HORSE_HAPPY_IF_FED_WITHIN will result in an arithmetic error. Since the outcome of this calculation would be negative, but uint256 can't be negative, it wraps around, causing the error as per the 0.8.0 Solidity over/underflow prevention update.

Impact

The current implementation of the isHappyHorse function may lead to unexpected behavior and incorrect results when checking the happiness of a horse within the first 24 hours of its creation or feeding due to the arithmetic error.

Proof of Code: Please paste this test at the bottom of Base_Test.t.sol,

and run forge test --mt test_calling_IsHappyHorse_within24hFails -vvvvv

function test_calling_IsHappyHorse_within24hFails() public {

uint256 horseId = horseStore.totalSupply();

vm.warp(horseStore.HORSE_HAPPY_IF_FED_WITHIN() - 1 hours);

vm.roll(horseStore.HORSE_HAPPY_IF_FED_WITHIN() - 1 hours);

vm.prank(user);

horseStore.mintHorse();

horseStore.feedHorse(horseId);

vm.expectRevert(); // this does not work with huff. comment out to see errors in stacktrace for both .sol and .huff

horseStore.isHappyHorse(horseId);

}

Recommendations

Update the comparison condition in the isHappyHorse function to ensure that the subtraction won't result in a negative value.

function isHappyHorse(uint256 horseId) external view returns (bool) {

- if (horseIdToFedTimeStamp[horseId] <= block.timestamp - HORSE_HAPPY_IF_FED_WITHIN) {

+ if (block.timestamp >= HORSE_HAPPY_IF_FED_WITHIN + horseIdToFedTimeStamp[horseId]) {

return false;

}

return true;

}

This modification ensures that the subtraction won't result in a negative value, preventing potential arithmetic errors, while still maintaining it's intendid functionality.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

460

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.