Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Valid

Incorrect token counter check in `ChoosingRam::increaseValuesOfParticipants` will allow the challenger to pass non-existent tokenId, thus challenger will not be challenging actual people.

Summary

The increaseValuesOfParticipants function allows users to upgrade their characteristics by challenging with other participants, but due to incorrect token check of participant, the challenger will be allowed to pass non-existent tokenId and thus it will not benefit any participant that won when challenged by challenger.

Vulnerability Details

  • The vulnerability is present in the increaseValuesOfParticipants where it performs a strict > check, instead of >= check.

  • The ramNFT::tokenCounter returns the tokenId that is to be minted next and thus all tokenIds >= to ramNFT::tokenCounter are non-existent but increaseValuesOfParticipants doesn't revert even if the tokenIdOfAnyPerticipent equals ramNFT::tokenCounter, which is non-existent.

  • As a result of this challenger passing non-existent tokenIds will never make actual participants benefit as properties are updated on a non-existent tokenId, even if other person minted that particular tokenId everthing will reset.

  • Along with that if that non-existent tokenId won all the characteristics, then Ram will be selected as address(0), therefore a person can create a mess in the Dussehra event by making address(0) as Ram, resulting which funds being locked in the Dussehra contract that were to be given to the selected Ram.

Impact

  • Challenger will bring no benefit to other participants by passing non-existent tokenIds.

  • Challenger can create havoc in the Dussehra event by passing non-existent tokenId as participant and when non-existent tokenId wins all the characteristics address(0) will be selected as Ram, which will lead to fund lock in Dussehra contract that were to be given to the selected Ram. But selected Ram being address(0) is insignificant as they are not actually Ram.

Tools Used

Manual Review

Recommendations

Make the increaseValuesOfParticipants function to revert when tokenId passed is >= ramNFT.tokenCounter()

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The token counter check is incorrect

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.