First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Inconsistent Modifier Logic Preventing `Dussehra.sol::withdraw()`

kiinzu

Summary

Inconsistent in the modifiers used in the Dussehra.sol::withdraw() preventing the function to be called

Vulnerability Details

The code has 3 modifiers about ram, one in choosingRam.sol is choosingRam.sol::RamIsNotSelected()

modifier RamIsNotSelected() {

require(!isRamSelected, "Ram is selected!");

}

This modifier ensures that the function choosingRam.sol::selectRamIfNotSelected() can only be called when isRamSelected equals to false.

Next, In the Dussehra.sol we got Dussehra.sol::RamIsSelected() and Dussehra.sol::OnlyRam()

modifier RamIsSelected() {

require(choosingRamContract.isRamSelected(), "Ram is not selected yet!");

}

modifier OnlyRam() {

require(choosingRamContract.selectedRam() == msg.sender, "Only Ram can call this function!");

}

Both of these modifiers in Dussehra.sol are used for the Dussehra.sol::withdraw(), but both of them can cause trouble by themselves because of a condition, let's go back to choosingRam.sol::increaseValuesOfParticipants(), in here once a person successfully get the ram attribute, a variable with the name of selectedRam is updated to store the address of the new ram, making the Dussehra.sol::OnlyRam() pass when the address of ram calling the withdraw, but the withdraw won't continue, here is why. We need to take a look at the Dussehra.sol::withdraw() function,

function withdraw() public RamIsSelected OnlyRam RavanKilled {

if (totalAmountGivenToRam == 0) {

revert Dussehra__AlreadyClaimedAmount();

}

uint256 amount = totalAmountGivenToRam;

(bool success, ) = msg.sender.call{value: amount}("");

require(success, "Failed to send money to Ram");

totalAmountGivenToRam = 0;

}

In that function, notice that OnlyRam is not the modifier used on the function (we are going to ignore RavanKilled), we got another modifier called RamIsSelected, even though the selectedRam variable has some value (let's say msg.sender here so we pass the modifier), the ram cannot call the withdraw because the isRamSelected bool is still false, the only way to update this bool is an organizer calling the function choosingRam::selectRamIfNotSelected(). Only then the randomly chosen ram can call the withdraw function.

Impact

Even though a ram is already selected via the choosingRam.sol::increaseValuesOfParticipants() after successfully updating one characteristics and became ram, if the event continues until the end without the organization involvement of calling the choosingRam::selectRamIfNotSelected(), the money will be forever stuck in the contract since nobody can withdraw it due to the modifier.

Tools Used

Manual Analysis

Recommendations

It is better to set the bool isRamSelected to become true after the update of user, so that the modifier will also become true and not stopping the withdraw process. Adding this to the code choosingRam.sol::increaseValuesOfParticipants() is recommended

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)

//Rest of the code

if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false){

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false){

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false){

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false){

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false){

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);

selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;

+ isRamSelected = true;

}

}```

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`isRamSelected` is not set

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.