First Flight #12: Kitty Connect

Beginner FriendlyFoundryNFTGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

"Idx" of burned nft won't be switched with "lastItem" popped out of "s_ownerToCatsTokenId"

hashov

Summary

"Idx" of burned nft won't be switched with "lastItem" popped out of "s_ownerToCatsTokenId" if idx itself is the last item inside of the array after the previous last item was popped out.

Vulnerability Details

Inside "KittyConnect.sol" inside "bridgeNftToAnotherChain()" the "Idx" of burned nft won't be switched with "lastItem" popped out of "s_ownerToCatsTokenId" if idx itself is the last item inside of the array after the previous last item was popped out. To make it more clear if we have s_ownerToCatsTokenIds filled with ids as such (1,2,3,4) and the idx of the nft owner wants to transfer to be equal to 3 (idx=3 with index=2, cause arrays in Solidity are 0 indexed) and we follow the business logic:

uint256[] memory userTokenIds = s_ownerToCatsTokenId[msg.sender];

uint256 lastItem = userTokenIds[userTokenIds.length - 1]; //Last item represents last token Id of the owner, so lastItem = userTokenIds.length(which is //of value 4 - 1, meaning lastItem will be at index 3 meaning value=4;

s_ownerToCatsTokenId[msg.sender].pop(); //this removes the last element of the array with "value=4 and index 3" of token Ids of the owner, and //leaves the array with total of 3 elements (1,2,3)

if (idx < (userTokenIds.length - 1)) { //This is where vulnerability occurs

s_ownerToCatsTokenId[msg.sender][idx] = lastItem;

}

to continue the example off-code our idx=3 which is not smaller than 2 (userTokenIds.length is 3-1) meaning we will not go in the if and value=4 (lastItem) will not get to the place of the idx, which leads to the idx staying in the "s_ownerToCatsTokenId" and lastItem being lost.

Impact

High, since the owner of the nft loses one of his nfts and remains with a reference to the id of the one that is burned.

Tools Used

Manual review.

Recommendations

The equation should use equal sign as well in the if statement so:

if (idx <= (userTokenIds.length - 1))

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Consider updating index of an NFT when making a transfer to another user or chain

Rewards breakdown

nSLOC

235

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.