Submission Details
Severity:
Bad implementation to know if 'tokenIdOfAnyPerticipent' exists or not in 'ChoosingRam__increaseValuesOfParticipants'
Vulnerability Details
In this function if 'tokenIdOfAnyPerticipent' is equals to 'RamNFT__TokenCounter', the values of a non existing nft (not minted yet) will be updated.
Impact
The characteristics of a non-existing NFT will be updated, and this might not be good if some others users see the characteristics of the NFT
##PoC
function test_canIncreaseValuesOfPartcipants_invalidTokenIdOfParticipant() public {
vm.startPrank(address(this));
ramNft.setChoosingRamContract(address(choosingRam));
vm.stopPrank();
address casualAddress1 = address(123);
vm.startPrank(casualAddress1);
ramNft.mintRamNFT(casualAddress1);
vm.stopPrank();
address casualAddress2 = address(124);
vm.startPrank(casualAddress2);
ramNft.mintRamNFT(casualAddress2);
vm.stopPrank();
address casualAddress3 = address(125);
vm.startPrank(casualAddress3);
ramNft.mintRamNFT(casualAddress3);
address casualAddress4 = address(126);
vm.startPrank(casualAddress4);
ramNft.mintRamNFT(casualAddress4);
//Calling functions with 'casualAddress4'
uint256 random =
uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, casualAddress4))) % 2;
choosingRam.increaseValuesOfParticipants(3, 4);
if(random == 0){
assertEq(ramNft.getCharacteristics(3).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(3).isDhyutimaan, false);
assertEq(ramNft.getCharacteristics(3).isVidvaan, false);
assertEq(ramNft.getCharacteristics(3).isAatmavan, false);
assertEq(ramNft.getCharacteristics(3).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
} else {
assertEq(ramNft.getCharacteristics(4).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(4).isDhyutimaan, false);
assertEq(ramNft.getCharacteristics(4).isVidvaan, false);
assertEq(ramNft.getCharacteristics(4).isAatmavan, false);
assertEq(ramNft.getCharacteristics(4).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
}
choosingRam.increaseValuesOfParticipants(3, 4);
if(random == 0){
assertEq(ramNft.getCharacteristics(3).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(3).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(3).isVidvaan, false);
assertEq(ramNft.getCharacteristics(3).isAatmavan, false);
assertEq(ramNft.getCharacteristics(3).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
} else {
assertEq(ramNft.getCharacteristics(4).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(4).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(4).isVidvaan, false);
assertEq(ramNft.getCharacteristics(4).isAatmavan, false);
assertEq(ramNft.getCharacteristics(4).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
}
choosingRam.increaseValuesOfParticipants(3, 4);
if(random == 0){
assertEq(ramNft.getCharacteristics(3).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(3).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(3).isVidvaan, true);
assertEq(ramNft.getCharacteristics(3).isAatmavan, false);
assertEq(ramNft.getCharacteristics(3).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
} else {
assertEq(ramNft.getCharacteristics(4).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(4).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(4).isVidvaan, true);
assertEq(ramNft.getCharacteristics(4).isAatmavan, false);
assertEq(ramNft.getCharacteristics(4).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
}
choosingRam.increaseValuesOfParticipants(3, 4);
if(random == 0){
assertEq(ramNft.getCharacteristics(3).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(3).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(3).isVidvaan, true);
assertEq(ramNft.getCharacteristics(3).isAatmavan, true);
assertEq(ramNft.getCharacteristics(3).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
} else {
assertEq(ramNft.getCharacteristics(4).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(4).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(4).isVidvaan, true);
assertEq(ramNft.getCharacteristics(4).isAatmavan, true);
assertEq(ramNft.getCharacteristics(4).isSatyavaakyah, false);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
}
choosingRam.increaseValuesOfParticipants(3, 4);
if(random == 0){
assertEq(ramNft.getCharacteristics(3).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(3).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(3).isVidvaan, true);
assertEq(ramNft.getCharacteristics(3).isAatmavan, true);
assertEq(ramNft.getCharacteristics(3).isSatyavaakyah, true);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, ramNft.getCharacteristics(3).ram);
} else {
assertEq(ramNft.getCharacteristics(4).isJitaKrodhah, true);
assertEq(ramNft.getCharacteristics(4).isDhyutimaan, true);
assertEq(ramNft.getCharacteristics(4).isVidvaan, true);
assertEq(ramNft.getCharacteristics(4).isAatmavan, true);
assertEq(ramNft.getCharacteristics(4).isSatyavaakyah, true);
address _selectedRam = choosingRam.selectedRam();
assertEq(_selectedRam, ramNft.getCharacteristics(4).ram);
assertEq(_selectedRam, 0x0000000000000000000000000000000000000000);
}
}
Tools Used
Manual Review
Recommendations
Do not use:
if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
Instead use:
if (tokenIdOfAnyPerticipent >= ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
Updates
Lead Judging Commences
bube over 1 year ago
Submission Judgement Published Assigned finding tags:
The token counter check is incorrect
Rewards breakdown
nSLOC
218This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.