First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of check in `ChoosingRam::increaseValuesOfParticipants` function allows that player can play against himself.

mirkopezo

Summary

Lack of check in ChoosingRam::increaseValuesOfParticipants function allows a player to play against himself, which should not be allowed.

Vulnerability Details

// @audit - caller can play against himself
function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)
public
RamIsNotSelected
{
if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {
revert ChoosingRam__CallerIsNotChallenger();
}
.
.
}

ChoosingRam::increaseValuesOfParticipants function allows to increase value of Ram NFT. Function accepts token id of challenger (caller) and token id of any participant that also holds Ram NFT. Problem arises because caller can input his token id both as challenger and participant and function does not have check for this scenario. This means challenger can play versus himself, which shouldn't be allowed.

  1. Player mints Ram NFT with token id 0.

  2. Assert that token id 0 is not Jita Krodhah.

  3. Player calls ChoosingRam::increaseValuesOfParticipants function with token id 0 as challenger and token id 0 as participant. Token increased value to Jita Krodhah.

  4. Player calls ChoosingRam::increaseValuesOfParticipants function again with token id 0 as challenger and token id 0 as participant. Token increased value to Dhyutimaan.

PoC

Place the following test into Dussehra.t.sol.

function test_challengerCanPlayVsHimself() public participants {
assertTrue(ramNFT.getCharacteristics(0).isJitaKrodhah == false);
vm.startPrank(player1);
choosingRam.increaseValuesOfParticipants(0, 0);
assertTrue(ramNFT.getCharacteristics(0).isJitaKrodhah == true);
choosingRam.increaseValuesOfParticipants(0, 0);
assertTrue(ramNFT.getCharacteristics(0).isDhyutimaan == true);
}

Impact

Owner of Ram NFT token can easily increase value without chance of losing because he is playing against himself, it is win-win situation. This is not desired behavior, because that player could easily become selected Ram within few function calls.

Tools Used

Manual review

Recommendations

Add additional check in ChoosingRam::increaseValuesOfParticipants function to prevent player from playing against himself.

+ error ChoosingRam__CannotPlayAgainstYourself();
.
.
function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)
public
RamIsNotSelected
{
if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {
revert ChoosingRam__CallerIsNotChallenger();
}
+ if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).ram == msg.sender) {
+ revert ChoosingRam__CannotPlayAgainstYourself();
+ }
if (block.timestamp > 1728691200) {
revert ChoosingRam__TimeToBeLikeRamFinish();
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Challenge themselves

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.