First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

The property `battlesWon` is never updated

carlosalbawork

Summary

The property battlesWon is never updated

Vulnerability Details

The function RapBattle::_battle makes 2 NFTs battle and get a winner from it

function _battle(uint256 _tokenId, uint256 _credBet) internal {
.
.
.
if (random <= defenderRapperSkill) {
// We give them the money the defender deposited, and the challenger's bet
credToken.transfer(_defender, defenderBet);
credToken.transferFrom(msg.sender, _defender, _credBet);
} else {
// Otherwise, since the challenger never sent us the money, we just give the money in the contract
credToken.transfer(msg.sender, _credBet);
}
totalPrize = 0;
// Return the defender's NFT
oneShotNft.transferFrom(address(this), _defender, defenderTokenId);
}

However, the property that shows how many battles an NFT has won is never updated! So always remains 0!

Impact

People can not know how many battles the Rapper NFTs won.

Tools Used

Manual Review

Recommendations

Update the value of battlesWon inside the if-else clause where the rewards are transfered. However, OneShot::updateRapperStats has the modifier onlyStreetContract that reverts any call from RapBattle or any other contract that is not Streets, so it might be useful to add a function that only updates the battle won with a modifier that only allows the call from RapBattle.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`battlesWon` is never updated

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.