Flawed Challenger Entry Mechanism in `goOnStageOrBattle`
Summary
The RapBattle.sol allows challengers to participate without staking tokens or NFTs, leading to potential exploitation where challengers risk nothing but can gain rewards.
Vulnerability Details
The goOnStageOrBattle function in RapBattle.sol fails to verify if the challenger has approved the transfer of their Cred tokens to the contract before initiating a battle.
This oversight is due to the absence of a call to ERC20.approve to ensure that the contract is authorised to move these assets on behalf of the challenger.
Impact
This vulnerability directly impacts the fairness and integrity of the RapBattle game.It allows challengers to participate in battles without any financial risk, potentially winning rewards without staking their own assets.
Tools Used
Manual review
Recommendations
Implement a check within the goOnStageOrBattle to ensure that challengers have approved the transfer of the required amount of Cred tokens before they can proceed to battle.
A code snippet to illustrate the recommended check:
Lead Judging Commences
missing check for sufficient `_credBet_` approval
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.