First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing NFT existence check in more view functions

0xlrivo

Summary

Both OneShot::getRapperStats() and RapBattle::getRapperSkill() do not check that the arbitrarily provided tokenId actually exists.

Vulnerability Details

Due to missing checks that the passed tokenId is already been minted, those functions create inconsistent state in the protocol.

Impact

RapBattle::getRapperSkill() makes possible for anyone to freely obtain a "non-minted rapper" with a high skill of 65, that will normally require 3 staking days to obtain.

Tools Used

  • Manual review

In the trace below, I call OneShot::getRapperStats() with a tokenId not yet minted, and the function returns a RapperStats struct with state-default values for his attributes (that corresponds to a skill level of 65):

[PASS] test_noAccessControlOnRapperStats() (gas: 13753)
Traces:
[13753] RapBattleTest::test_noAccessControlOnRapperStats()
├─ [2314] OneShot::getNextTokenId() [staticcall]
│ └─ ← 0
├─ [5183] OneShot::getRapperStats(2) [staticcall]
│ └─ ← RapperStats({ weakKnees: false, heavyArms: false, spaghettiSweater: false, calmAndReady: false, battlesWon: 0 })
└─ ← ()

Recommendations

Add existence checks to the pointed functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.