First Flight #17: Dussehra

Summary

The native currency of the BNB Smart Chain is BNB, not ETH as on the other deployment target chains Ethereum, Arbitrum and ZkSync.
This necessitates adjusting the entranceFee during deployment to ensure it aligns with the USD value intended for Ethereum deployments.

Vulnerability Details

The Dussehra contract relies on transfers of the native currency at multiple points:

• in Dussehra::enterPeopleWhoLikeRam, which has to be called with msg.value = entranceFee,

• in Dussehra::killRavana when the low-level call .call is used,

• in Dussehra::withdraw when the low-level call .call is used.

Importantly, the native currency of BNB Smart Chain is BNB, not ETH as on the Ethereum, Arbitrum and ZkSync chains.

Impact

If Dussehra is deployed with the same entranceFee = X on the BNB Smart Chain and on Ethereum, the USD-denominated entrance fee will be wildly different on the 2 chains.

Tools Used

Manual review.

Recommendations

When deploying the protocol on the BNB Smart Chain, adjust the entranceFee so that the USD-denominated entrance fee will be similar to the USD-denominated entrance fee on Ethereum.