First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`tokenId`'s owner is not validated, allowing user to battle unowned tokens

0xKowalski

Summary

User's can provide any tokenId when calling RapBattle:goOnStageOrBattle() as a challenger.

Vulnerability Details

Neither the RapBattle:goOnStageOrBattle() method nor the internal RapBattle:_battle() method validates whether the user owns the provided tokenId for cases when the user is a challenger - When the user is a defender, the oneShotNft.transferFrom method call will revert if the user does not own the token.

PoC

Finding can be verified by adding the following test to the test suite.

function testUserMustOwnTokenToBattle() public mintRapper() {
vm.startPrank(user);
oneShot.approve(address(rapBattle), 0);
rapBattle.goOnStageOrBattle(0, 0);
vm.stopPrank();
vm.startPrank(challenger);
vm.expectRevert();
rapBattle.goOnStageOrBattle(0, 0); // Uses unowned 'user's token at tokenId 0.
vm.stopPrank();
}

Impact

This exploit allows users to battle with tokens they do not own, it even allows users to battle without having minted a token at all.

Tools Used

Manual Review
Provided Foundry Test Suite

Recommendations

Add require(oneShotNft.ownerOf(_tokenId) == msg.sender); to the start of RapBattle:goOnStageOrBattle() .

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Challenger can use any nft to battle - not necessarily theirs

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.