First Flight #17: Dussehra

Summary

The increaseValuesOfParticipants function in the ChoosingRam contract lacks proper access control, allowing anyone to call the function and manipulate the characteristics of any token. This can lead to unauthorized changes and potential manipulation of the selection process for Ram.

Vulnerability Details

The function increaseValuesOfParticipants is designed to update the characteristics of participants based on a random outcome. However, it does not restrict who can call the function, which means any user can invoke it and potentially manipulate the outcome.

The lack of access control modifiers allows any external address to call the increaseValuesOfParticipants function, leading to unauthorized access and potential abuse.

Impact

The absence of access control can result in unauthorized users manipulating the characteristics of participants and influencing the selection process of Ram, leading to unfair advantages and potential loss of integrity in the system.

Potential Exploits
Unauthorized Manipulation: An attacker can repeatedly call the function to manipulate the characteristics of their preferred token.
Denial of Service: Spamming the function call can lead to high gas consumption and potentially disrupt the contract's operations.

Tools Used

Manual Code Review

Recommendations

Add a modifier to restrict who can call the function, ensuring that only authorized participants (e.g., the token owner or a specific authorized address) can influence the characteristics.

Define an Access Control Modifier

Apply the Modifier to the Function
function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent) public RamIsNotSelected onlyAuthorized(tokenIdOfChallenger) {
// Function logic here
}