First Flight #12: Kitty Connect

First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Submission Details
Severity: low
Valid

`KittyConnect.sol::mintCatToNewOwner` didn't check for input values, leading to the creation of NFTs without information or even manipulation.

KittyConnect.sol::mintCatToNewOwner didn't check for input values, leading to the creation of NFTs without information or even manipulation.

  • Description:

    • The protocol's purpose is to allow users to mint an NFT that will store the information of a cat and track all related data. However, the KittyConnect.sol::mintCatToNewOwner is not validating inputs before emitting the NFT.

  • Impact:

    • Skipping the validation process can incur on NFTs with empty data. Or even manipulated data by ShopPartners.

  • Proof of Concept:

    Add the following PoC to `KittyTest.t.sol`
    function testPoCShopPartnerCanManipulateCatInfo() public {
    string memory catImageIpfsHash = "ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62";
    uint256 tokenId = kittyConnect.getTokenCounter();
    vm.prank(partnerA);
    kittyConnect.mintCatToNewOwner(user, catImageIpfsHash, "", "", 1);
    uint32 timeNow = 1711738682;
    vm.warp(timeNow);
    uint256 catAge = kittyConnect.getCatAge(tokenId);
    assertTrue(catAge > 1_000_000_000);
    }
  • Recommendation:

    • Always check for input values. Especially if it's not updatable.

      Implement the following code
      function mintCatToNewOwner(address catOwner, string memory catIpfsHash, string memory catName, string memory breed, uint256 dob) external onlyShopPartner {
      require(!s_isKittyShop[catOwner], "KittyConnect__CatOwnerCantBeShopPartner");
      + require(catOwner != address(0), "KittyConnect__InvalidOwnerAddress");
      + require(bytes(catIpfsHash).length > 0, "KittyConnect__EmptyIpfsHash");
      + require(bytes(catName).length > 0, "KittyConnect__EmptyCatName");
      + require(bytes(breed).length > 0, "KittyConnect__EmptyBreed");
      + require(dob > 0 && dob <= block.timestamp, "KittyConnect__InvalidDOB");
      uint256 tokenId = kittyTokenCounter;
      kittyTokenCounter++;
      s_catInfo[tokenId] = CatInfo({
      catName: catName,
      breed: breed,
      image: catIpfsHash,
      dob: dob,
      prevOwner: new address[](0),
      shopPartner: msg.sender,
      idx: s_ownerToCatsTokenId[catOwner].length
      });
      s_ownerToCatsTokenId[catOwner].push(tokenId);
      _safeMint(catOwner, tokenId);
      emit CatMinted(tokenId, catIpfsHash);
      }
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Inputed cat dob can be in the future, making a function revert due to underflow.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.