A defender can withdraw from the stage at any time.
A defender can at any point, call RapBattle:goOnStageOrBattle()
to battle themself. Whether they win or lose, the outcome will be the same, the risked ERC20 tokens will be transferred back to the user, as will their nft.
This vulnerability allows a defender to withdraw from the stage at 0 risk to their bet.
Manual Review
Add a check to RapBattle:_battle()
to prevent a user from battling themself - require(_defender != msg.sender, "User can not battle themself!")
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.