First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing timegate for `Dussehra::enterPeopleWhoLikeRam`, users can join after Ram is selected/event ended

paprikrumplikas

Summary

Dussehra::enterPeopleWhoLikeRam is missing a time gate and, hence, can be (successfully) called even after the Dussehra event has ended.
Ideally, users are not supposed to be able to call Dussehra::enterPeopleWhoLikeRam after Ram has been selected.

Vulnerability Details

Dussehra::enterPeopleWhoLikeRam is supposed to enable users to enter the Dussehra event by paying the neccessary entrance fee. In exchange, they get the following:

a Ram NFT,
a chance to increase the value of their NFT,
a chance to become Ram for the event and as such, win 50% of the prize pool.

However, Dussehra::enterPeopleWhoLikeRam is not time-gated and, hence, users can call it even after the event.

This is demonstarted by the following test:

function test_playerCanEnterAfterEventEnded() public {

vm.warp(1728777669 + 1);

vm.deal(player1, 1 ether);

// player enters after the event

vm.prank(player1);

dussehra.enterPeopleWhoLikeRam{value: 1 ether}();

// player1 has the NFT

assertEq(ramNFT.ownerOf(0), player1);

assertEq(ramNFT.getCharacteristics(0).ram, player1);

// player1 has 0 funds left, contract has the ether

assertEq(player1.balance, 0);

assertEq(address(dussehra).balance, 1 ether);

}

Impact

Users who call this function after Ram has been selected but before 12th October 2024 will get only 2 from the 3 benefits players normally get. They will not get the chance to become Ram for the event.
Users who call this function after 12th October 2024 will get only 1 from the 3 benefits players normally get. They will not get the chance to become Ram for the event, neither can they increase the value of their NFT.

Tools Used

Manual review, Foundry.

Recommendations

For fairness, ensure users cannot call Dussehra::enterPeopleWhoLikeRam after Ram has been selected. Modify Dussehra as follows:

...

+ error Dussehra__RamIsAlreadySelected();

...

function enterPeopleWhoLikeRam() public payable {

+ if (choosingRamContract.isRamSelected() == false) {

+ error Dussehra__RamIsAlreadySelected();

+ )

if (msg.value != entranceFee) {

revert Dussehra__NotEqualToEntranceFee();

}

if (peopleLikeRam[msg.sender] == true){

revert Dussehra__AlreadyPresent();

}

peopleLikeRam[msg.sender] = true;

WantToBeLikeRam.push(msg.sender);

ramNFT.mintRamNFT(msg.sender);

emit PeopleWhoLikeRamIsEntered(msg.sender);

}

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Invalid - enter people after event or after Ram is selected

It is the user's responsibility to check the date of the event.

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.