Summary
Dussehra.sol::selectRamIfNotSelected()
may choose a ram
that does not fulfill all the characteristics.
Vulnerability Details
quoting from the documentation for choosingRam.sol
,
This contract allows users to increase their values and select as Ram if all characteristics are true
From this sentence, we can assume that a ram
is selected once all five attributes are true, we can further confirm this in the code here. The code that the organizer
use to choose a ram if the event is started but the ram has not yet been chosen is choosingRam.sol::selectRamIfNotSelected()
, the code is as below.
function selectRamIfNotSelected() public RamIsNotSelected OnlyOrganiser {
if (block.timestamp < 1728691200) {
revert ChoosingRam__TimeToBeLikeRamIsNotFinish();
}
if (block.timestamp > 1728777600) {
revert ChoosingRam__EventIsFinished();
}
uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter();
selectedRam = ramNFT.getCharacteristics(random).ram;
isRamSelected = true;
}
The problem is, the chosen ram
attributes is not verified upon choosing it randomly like the function does.
Impact
A random user that doesn't eligible for becoming ram
, assuming 5 attributes must be true, can be selected as a ram
due to lack of validation,
Tools Used
Manual Analysis
Recommendations
It is better to first ensure that the user randomly selected has all the 5 attributes true.
function selectRamIfNotSelected() public RamIsNotSelected OnlyOrganiser {
if (block.timestamp < 1728691200) {
revert ChoosingRam__TimeToBeLikeRamIsNotFinish();
}
if (block.timestamp > 1728777600) {
revert ChoosingRam__EventIsFinished();
}
uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter();
+ CharacteristicsOfRam memory candidateRam = ramNFT.getCharacteristics(random);
+ // Verify the attributes
+ require(candidateRam.isJitaKrodhah, "Ram does not have the isJitaKrodhah attribute");
+ require(candidateRam.isDhyutimaan, "Ram does not have the isDhyutimaan attribute");
+ require(candidateRam.isVidvaan, "Ram does not have the isVidvaan attribute");
+ require(candidateRam.isAatmavan, "Ram does not have the isAatmavan attribute");
+ require(candidateRam.isSatyavaakyah, "Ram does not have the isSatyavaakyah attribute");
// If all attributes are verified, assign the address to selectedRam and set isRamSelected to true
selectedRam = candidateRam.ram;
isRamSelected = true;
}