First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Broken Access Control allows anyone to call `RamNFT::minRamNFT` resulting in players being able to participate without paying the entrance fee

poolig4n

Summary
A Broken Access Control allows anyone to call RamNFT::minRamNFT resulting in players being able to participate without paying the entrance fee and potentially becoming Ram and then claiming the winner's funds allocated for Ram.

Description
The mintRamNFT function does not implement suitable access control allowing anyone to repeatedly invoke the function, generate an NFT and participate in the event without paying the entrance fee. As this function can be called repeatedly, a malicious actor can invoke this function to increase their chances of becoming Ram. If the malicious actor becomes Ram they can then invoke the function Dussehra::withdraw and claim the money allocated to Ram after Ravan is killed via the function Dussehra::killRavana.

Impact
The protocol is fundamentally flawed due to the missing access control, which allows anyone to participate in the event without paying the entrance fee. Malicious actors can enter themselves as many times as they like to increase the chance of them becoming Ram and winning the percentage of fees allocated to Ram.

Code

// This function is missing a key access control modifier.

// Anyone can call this which enrols them into the event without paying.

// This can be called repeatedly, which would increase the chance of winning.

// Note: The token counter is used as the key for the mapping.

function mintRamNFT(address to) public {

uint256 newTokenId = tokenCounter++;

_safeMint(to, newTokenId);

Characteristics[newTokenId] = CharacteristicsOfRam({

ram: to,

isJitaKrodhah: false,

isDhyutimaan: false,

isVidvaan: false,

isAatmavan: false,

isSatyavaakyah: false

});

}

The organiser will invoke selectRamIfNotSelected to choose the winner. The tokenCounter is used as an upper-bounds for the random number so it can be used to map to a value in the RamNFT::Characteristics mapping.

function selectRamIfNotSelected() public RamIsNotSelected OnlyOrganiser {

if (block.timestamp < 1728691200) {

revert ChoosingRam__TimeToBeLikeRamIsNotFinish();

}

if (block.timestamp > 1728777600) {

revert ChoosingRam__EventIsFinished();

}

uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter(); <--* Token counter

selectedRam = ramNFT.getCharacteristics(random).ram; <--* Select Ram

isRamSelected = true;

}

Recommended mitigation

The recommended mitigation is to add the access control as shown below to restrict who can call this function.

- function mintRamNFT(address to) public {

+ function mintRamNFT(address to) public onlyChoosingRamContract {

uint256 newTokenId = tokenCounter++;

_safeMint(to, newTokenId);

Characteristics[newTokenId] = CharacteristicsOfRam({

ram: to,

isJitaKrodhah: false,

isDhyutimaan: false,

isVidvaan: false,

isAatmavan: false,

isSatyavaakyah: false

});

}

Proof of Concept

Standalone test:

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";

import {Dussehra} from "../src/Dussehra.sol";

import {ChoosingRam} from "../src/ChoosingRam.sol";

import { mock } from "../src/mocks/mock.sol";

import {RamNFT} from "../src/RamNFT.sol";

contract AccessControlTest is Test {

Dussehra public dussehra;

RamNFT public ramNFT;

ChoosingRam public choosingRam;

address public organiser = makeAddr("organiser");

address public player1 = makeAddr("player1");

address public player2 = makeAddr("player2");

address public player3 = makeAddr("player3");

address public player4 = makeAddr("player4");

address public player5 = makeAddr("player5");

modifier participants5() {

vm.startPrank(player1);

vm.deal(player1, 1 ether);