First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

TokenIds Passed to `ChoosingRam::increaseValuesOfParticipants` Can Be Owned by the Same Wallet

vile

Summary

Currently, ChoosingRam::increaseValuesOfParticipants does not check if the provided tokenIdOfChallenger and tokenIdOfAnyPerticipent tokenIds are owned by the same wallet. This results in unintended behavior where the challenger is guaranteed to have one of their NFTs' attributes upgraded.

Vulnerability Details

ChoosingRam::increaseValuesOfParticipants does not check if the provided tokenIdOfChallenger and tokenIdOfAnyPerticipent tokenIds are owned by the same wallet.

Impact

Since both tokenIds can belong to the same user, it guarantees that only the caller (challenger) will have one of their NFT's attributes upgraded, which is unintended behavior.

Tools Used

Manual Review

Recommendations

Add a check to ensure that the owners of tokenIdOfChallenger and tokenIdOfAnyPerticipent are not the same.

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)
public
RamIsNotSelected
{
if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {
revert ChoosingRam__CallerIsNotChallenger();
}
+ if (ramNFT.ownerOf(tokenIdOfChallenger) == ramNFT.ownerOf(tokenIdOfAnyPerticipent)) {
+ revert ChoosingRam__TokenOwnersMustBeDifferent(); // Example custom error
+ }
Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Challenge themselves

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.