User's can provide any tokenId
when calling RapBattle:goOnStageOrBattle()
as a challenger.
Neither the RapBattle:goOnStageOrBattle()
method nor the internal RapBattle:_battle()
method validates whether the user owns the provided tokenId
for cases when the user is a challenger - When the user is a defender, the oneShotNft.transferFrom
method call will revert if the user does not own the token.
Finding can be verified by adding the following test to the test suite.
This exploit allows users to battle with tokens they do not own, it even allows users to battle without having minted a token at all.
Manual Review
Provided Foundry Test Suite
Add require(oneShotNft.ownerOf(_tokenId) == msg.sender);
to the start of RapBattle:goOnStageOrBattle()
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.