Submission Details
Severity:
Challenger can participate in battles for free.
Summary
Challenger can participate in battles for free because the code on line #49 is commented.
Vulnerability Details
By commenting the code on line #49 , the challenger does not send funds to the contract.
No check is made if he even has that amount. This will cause the _battle function to revert when the defender wins:
// If random <= defenderRapperSkill -> defenderRapperSkill wins, otherwise they lose
if (random <= defenderRapperSkill) {
// We give them the money the defender deposited, and the challenger's bet
credToken.transfer(_defender, defenderBet);
credToken.transferFrom(msg.sender, _defender, _credBet);
If the challenger has not approved the contract to transfer funds or he does not have the necessary balance. Thus the challenger can participate for free.
Impact
High because the challenger can never win.
Tools Used
Recommendations
Transfer the tokens from the challenger to the contract, like the defender's tokens.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
missing check for sufficient `_credBet_` approval
Rewards breakdown
nSLOC
201This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.