First Flight #10: One Shot

First Flight #10

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Challengers Can Battle Without Owning RapperNFTs or Cred Tokens

funkornaut

Summary

Once a Rapper has gone on stage a challenger does not need any Rapper NFTs or Cred Tokens to be able to battle them

Vulnerability Details

There are no checks as to whether a challenger owns the Rapper or Cred tokens it takes to enter a battle.

Impact

Anyone can battle a rapper on stage at no cost.

Tools Used

Manual Review
Foundry

PoC - add this to OneShotTest.t.sol

function test_canBattleWithRapperAndCredIDontOwn() public twoSkilledRappers {

vm.startPrank(user);

oneShot.approve(address(rapBattle), 0);

cred.approve(address(rapBattle), 4);

rapBattle.goOnStageOrBattle(0, 4);

vm.stopPrank();

address biggie = makeAddr("Biggie");

vm.startPrank(biggie);

assert(cred.balanceOf(biggie) == 0);

rapBattle.goOnStageOrBattle(1, 4);

}

Recommendations

Add checks that the user trying to challenge the Rapper onstage has a Rapper NFT and the proper Cred tokens to do battle.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Challenger can use any nft to battle - not necessarily theirs

missing check for sufficient `_credBet_` approval

Rewards breakdown

nSLOC

201

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.