Summary
increaseValueOfParticipants() can update another people characteristic when the random == 1
Vulnerability Details
The documentation said as follows:
increaseValuesOfParticipants - Allows users to increase their values(or characteristics) and become Ram for the event and never update the values again after 12th October 2024.
But In the code, we can see it requires 2 inputs, one being the challenger (ourself) tokenId and any other people tokenId and we can see that it has a variable called random in this snippet.
- uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;
if (random == 0) {
if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);
selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;
}
} else {
if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isJitaKrodhah == false){
ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, false, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isDhyutimaan == false){
ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isVidvaan == false){
ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isAatmavan == false){
ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isSatyavaakyah == false){
ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, true);
selectedRam = ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).ram;
}
}
if the random returns 0, the challenger (ourself) status will be updated, but if the random returns 1, the random participant's tokenId that we provided will be updated. So we can actually update other people characteristic and not only ours.
Impact
Other people's characteristics will be updated if the random returns 1
Tools Used
Manual Analysis, REMIX
Recommendations
It is better to completely remove the tokenIdOfAnyPerticipent and random
- uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;
- if (random == 0) {
if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false){
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);
selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;
}
- } else {
- if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isJitaKrodhah == false){
- ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, false, false, false, false);
- } else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isDhyutimaan == false){
- ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, false, false, false);
- } else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isVidvaan == false){
- ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, false, false);
- } else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isAatmavan == false){
- ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, false);
- } else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isSatyavaakyah == false){
- ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, true);
- selectedRam = ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).ram;
- }
- }
With the random
and else
removed, now we can ensure that when this function is called by us, it will only updates our characteristics