The RapBattle contract allows a challenger to participate in a battle without verifying that they own the NFT or have the required Cred tokens. This can be exploited by a challenger who initiates a battle with a random tokenId and matching credBet, without actually owning the NFT or Cred tokens. If the challenger wins, they receive the defender's Cred tokens. If they lose, the contract's attempt to transfer the challenger's Cred tokens to the defender fails, and the transaction reverts, leaving the defender uncompensated.
Add the following function in OneShotTest.t.sol
Defender calls goOnStageOrBattle with their NFT (tokenId) and Cred tokens (credBet), which are transferred to the contract.
Challenger calls goOnStageOrBattle with any existing tokenId and the same credBet amount, without owning the NFT or Cred tokens.
If the challenger wins, the credToken.transfer call succeeds, and they receive the defender's Cred tokens.
If the challenger loses, the credToken.transferFrom call fails, the transaction reverts, and the defender receives nothing.
This vulnerability allows a challenger to gamble with no risk, potentially stealing the defender's Cred tokens if they win, and facing no loss if they lose, as the transaction will revert due to the failed token transfer. This defeats the whole purpose of RapperNft and staking.
Manual review
Modify the goOnStageOrBattle function to include checks that verify the challenger's ownership of the NFT and their possession of the required Cred tokens, as well as approval for the contract to spend those tokens. Implement the following checks for the challenger before initiating a battle:
Check that the challenger owns the NFT.
++ require(oneShotNft.ownerOf(_tokenId) == msg.sender, "Challenger must own the token");
Check that the challenger has enough Cred tokens and has approved them for the contract
++ require(credToken.allowance(msg.sender, address(this)) >= _credBet, "Challenger must approve bet amount");
++ require(credToken.balanceOf(msg.sender) >= _credBet, "Challenger must have enough Cred tokens");
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.