First Flight #10: One Shot

First Flight #10

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

The user can battle against theirself in `RapBattle::goOnStageOrBattle` function

bube

Summary

The RapBattle::goOnStageOrBattle function allows a user to initiate a battle against theirself by calling the function twice with different or the same tokenId.

Vulnerability Details

The RapBattle smart contract allows a user to initiate a battle against theirself by calling the goOnStageOrBattle function twice with different or the same token IDs but the same bet amount.

function goOnStageOrBattle(uint256 _tokenId, uint256 _credBet) external {

if (defender == address(0)) {

defender = msg.sender;

defenderBet = _credBet;

defenderTokenId = _tokenId;

emit OnStage(msg.sender, _tokenId, _credBet);

oneShotNft.transferFrom(msg.sender, address(this), _tokenId);

credToken.transferFrom(msg.sender, address(this), _credBet);

} else {

// credToken.transferFrom(msg.sender, address(this), _credBet);

@> _battle(_tokenId, _credBet);

}

Impact

The RapBattle::goOnStageOrBattle function doesn't check if the address of the defender is not equal to the address of the challenger. That allows to someone to make a battle with theirself. Moreover, the provided tokenId also can be the same.
The following test function testGoOnStageOrBattleSameUser shows the following scenario: The user (Alice) has minted two rapper tokens. The user calls the function RapBattle::goOnStageOrBattle twice and receives the defender and challenger role. In that case the user will have sure win for one of the tokens. You can execute this test function with foundry command:
forge test --match-test "testGoOnStageOrBattleSameUser" -vvvvv

function testGoOnStageOrBattleSameUser() public mintRapper {

vm.startPrank(user);

oneShot.approve(address(rapBattle), 0);

rapBattle.goOnStageOrBattle(0, 0);

vm.stopPrank();

vm.startPrank(user);

oneShot.mintRapper();

oneShot.approve(address(rapBattle), 1);

rapBattle.goOnStageOrBattle(1, 0);

}

Tools Used

Manual Review, Foundry

Recommendations

Modify the RapBattle::goOnStageOrBattle function to include a check that prevents the msg.sender from initiating a battle if there is already the defender. This can be done by adding a require statement:

function goOnStageOrBattle(uint256 _tokenId, uint256 _credBet) external {

+ require(msg.sender != defender, "RapBattle: Cannot battle against yourself");

if (defender == address(0)) {

defender = msg.sender;

defenderBet = _credBet;

defenderTokenId = _tokenId;

emit OnStage(msg.sender, _tokenId, _credBet);

oneShotNft.transferFrom(msg.sender, address(this), _tokenId);

credToken.transferFrom(msg.sender, address(this), _credBet);

} else {

// credToken.transferFrom(msg.sender, address(this), _credBet);

_battle(_tokenId, _credBet);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

It's YOU vs YOU

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

It's YOU vs YOU

Rewards breakdown

nSLOC

201

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!