Submission Details
Severity:
`KittyConnect.sol::mintCatToNewOwner` didn't check for input values, leading to the creation of NFTs without information or even manipulation.
KittyConnect.sol::mintCatToNewOwner didn't check for input values, leading to the creation of NFTs without information or even manipulation.
-
Description:
The protocol's purpose is to allow users to mint an NFT that will store the information of a cat and track all related data. However, the
KittyConnect.sol::mintCatToNewOwneris not validating inputs before emitting the NFT.
-
Impact:
Skipping the validation process can incur on NFTs with empty data. Or even manipulated data by
ShopPartners.
-
Proof of Concept:
Add the following PoC to `KittyTest.t.sol`
function testPoCShopPartnerCanManipulateCatInfo() public {string memory catImageIpfsHash = "ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62";uint256 tokenId = kittyConnect.getTokenCounter();vm.prank(partnerA);kittyConnect.mintCatToNewOwner(user, catImageIpfsHash, "", "", 1);uint32 timeNow = 1711738682;vm.warp(timeNow);uint256 catAge = kittyConnect.getCatAge(tokenId);assertTrue(catAge > 1_000_000_000);} -
Recommendation:
-
Always check for input values. Especially if it's not updatable.
Implement the following code
function mintCatToNewOwner(address catOwner, string memory catIpfsHash, string memory catName, string memory breed, uint256 dob) external onlyShopPartner {require(!s_isKittyShop[catOwner], "KittyConnect__CatOwnerCantBeShopPartner");+ require(catOwner != address(0), "KittyConnect__InvalidOwnerAddress");+ require(bytes(catIpfsHash).length > 0, "KittyConnect__EmptyIpfsHash");+ require(bytes(catName).length > 0, "KittyConnect__EmptyCatName");+ require(bytes(breed).length > 0, "KittyConnect__EmptyBreed");+ require(dob > 0 && dob <= block.timestamp, "KittyConnect__InvalidDOB");uint256 tokenId = kittyTokenCounter;kittyTokenCounter++;s_catInfo[tokenId] = CatInfo({catName: catName,breed: breed,image: catIpfsHash,dob: dob,prevOwner: new address[](0),shopPartner: msg.sender,idx: s_ownerToCatsTokenId[catOwner].length});s_ownerToCatsTokenId[catOwner].push(tokenId);_safeMint(catOwner, tokenId);emit CatMinted(tokenId, catIpfsHash);}
-
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Inputed cat dob can be in the future, making a function revert due to underflow.
Rewards breakdown
nSLOC
235This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.