First Flight #10: One Shot
First Flight #10
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`defenderBet` and `defenderTokenId` are not reset with `defender` is reset.

0xKowalski

Summary

defenderBet and defenderTokenId are not reset with defender is reset.

Vulnerability Details

When a battle takes place, the defender is reset to 0 address, regardless of who wins. However, the defenderBet and defenderToken are not reset, causing a discrepancy between the contracts intended state and its actual state.

Impact

This vulnerability could confuse users who relied on checking defenderBet or defenderToken to see if there was a defender rather then defender.
For example, a defender has a advantage over a attacker due to if (random <= defenderRapperSkill) {, the addition of the equals gives a point advantage. So a user is encouraged to be a defender, if they where to check whether a defender was present based on defenderBet, they may never see the opportunity to become the defender.

Tools Used

Manual review

Recommendations

Add resets for defenderBet and defenderToken to RapBattle:_battle().

defender = address(0); <- current code
defenderTokenId = 0;
defenderBet = 0;
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xKowalski Submitter
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.