First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

A user (an address) should not be able to mint more than one RPR

y0ng0p3

Summary

A user (an address) should not be able to mint more than one RPR.

Vulnerability Details

A user can mint as many RPR as they want and use them to participate in the same battle.
By then, the user is sure to always win and increase their battleWon property in their stats.
They can also use one RPR to participate in battle while another RPR is staked in Streets.sol to earn Cred ERC20. The user will never run out of CRED.

POC

Put the test excerpt below in `test/OneShotTest.t.sol`
// Test that a user can mint more than one NFT
function testMintMoreNFTs() public {
vm.startPrank(user);
oneShot.mintRapper();
oneShot.approve(address(streets), 0);
oneShot.mintRapper();
oneShot.approve(address(streets), 1);
vm.stopPrank();
assert(oneShot.balanceOf(user) > 1);
}

In the terminal, run the following command:

  • forge test --mt testMintMoreNFTs

Impact

This allows collusion in battle and leads to a user always winning battles.
A user can take part into a battle and stake RPR at the same time. Increasing then his CRED either he wins or loses.

Tools Used

Manual review

Recommendations

Restrict RPR minting to an address with only one RPR.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.