First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

TokenIds Passed to `ChoosingRam::increaseValuesOfParticipants` Can Be the Same, Bypassing the Function’s `random` Check

vile

Summary

Currently, ChoosingRam::increaseValuesOfParticipants does not check if the provided tokenIds are the same, allowing the caller (challenger) to effectively bypass the function's if (random == 0) check, and guaranteeing an increase in their NFT attributes.

Vulnerability Details

ChoosingRam::increaseValuesOfParticipants does not check if the provided tokenIdOfChallenger and tokenIdOfAnyPerticipent tokenIds are the same.

Impact

The function's if (random == 0) is effectively bypassed, guaranteeing the challenger's NFT attributes are updated. This is unintended behavior.

Tools Used

Manual Review

Recommendations

Add a check to ensure that tokenIdOfChallenger and tokenIdOfAnyPerticipent are not the same.

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)
public
RamIsNotSelected
{
if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {
revert ChoosingRam__CallerIsNotChallenger();
}
+ if (tokenIdOfChallenger == tokenIdOfAnyPerticipent) {
+ revert ChoosingRam__ChallengerTokensIdsMustBeDifferent(); // Example custom error
+ }
Updates

Lead Judging Commences

bube Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Challenge themselves

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.