First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Back-running increases chances of success

emacab98

Summary

An attacker can back-run other players to increase their chance of victory.

Vulnerability Details

An attacker, when the smart contracts are deployed on the Ethereum blockchain, can monitor the mempool in order to:

  • enter in a battle anytime another player with a "weak" NFT enters the stage waiting for a challenge, using their own "stronger" NFT. In this scenario, as the attacker owns a "stronger" NFT, they can also front-run the other player and enter the stage first;

  • enter in a battle anytime another player with a "weak" NFT enters the stage waiting for a challenge, using a "strong" NFT they do not own, exploiting an already reported issue that the second challenger to enter a battle can use any rapper pre-approved to battle, even if they do not own it.

Impact

Using this approach, an attacker can significantly increase their chances of winning the bet staked for the battle, repeatedly gaining more and more NFTs while reducing their risk of ever losing some.

Tools Used

Manual review, VSCode

Recommendations

Using a commit-and-reveal scheme for challengers to participate in the battle would solve this issue, as no challenger would be able to know the skill level of their rival beforehand.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
emacab98 Submitter
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
emacab98 Submitter
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.