Strict equality required for Challenger to enter into battle with Defender
Summary
Due to a strict equality requirement that defender and challenger bet amounts must match, it will be difficult for challengers to know the correct amount to bet in order to successfully engage in battle.
Vulnerability Details
The internal function that starts a battle between two rappers, RapBattle::_battle, has a strict equality requirement for the battle to begin. The defender enters first, but there is no fixed amount required to bet. This means that the challenger, who enters second, must either guess the correct amount or use a block explorer or tool like Foundry's Cast to discover the defender's bet amount.
Severity
Medium - likelihood is High and impact is Low, as there is a workaround to avoid guessing. However, this will, at a minimum, discourage less blockchain-savvy players from playing frequently. Such players may even interpret is as a Denial of Service.
Tools Used
Visual Studio Code, manual review
Recommendations
There are several ways to address this. One might be through the user interface intended to sit on top of the OneShot set of smart contracts and could visually display to the challenger the defender's bet amount. Other approaches are more business logic oriented, such as establishing a fixed bet amount for all rappers or to take the minimum of the defender and challenger bet amounts as the bet amount for the battle.
Regardless, avoiding a reliance within the RapBattle::_battle function on a strict equality of defender and challenger bet amounts is recommended.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.