First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

Submission Details

Severity: medium

Valid

User can increase the value of his own token rapidly by setting his TokenId for challenger and any participants.

Summary

The function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyParticipant) allows a player to set the same tokenId for both tokenIdOfChallenger and tokenIdOfAnyParticipant.

Vulnerability Details

When a user calls increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyParticipant) with his own token value, he always wins.

Impact

The randomness introduced in the method increaseValuesOfParticipants becomes ineffective, allowing the user to always win and rapidly increase the value of his NFT.

Code Example

This code should be added to the smart contract Dussehra.sol#CounterTest:

function test_increaseValuesOfSameNFT() public participants {

vm.startPrank(player1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.warp(block.timestamp + 1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.warp(block.timestamp + 1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.warp(block.timestamp + 1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.warp(block.timestamp + 1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.stopPrank();

assertEq(ramNFT.getCharacteristics(0).isSatyavaakyah, true);

}

Result
player1 managed to get selected as Ram.

Ran 1 test for test/Dussehra.t.sol:CounterTest

[PASS] test_increaseValuesOfSameNFT() (gas: 426171)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 7.26ms (713.50µs CPU time)

Tools Used

Manual review.

Recommendations

The function should check if tokenIdOfChallenger and tokenIdOfAnyParticipant are the same and revert if they are.

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyParticipant)

public

RamIsNotSelected

{

if (tokenIdOfChallenger > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfChallenger();

}

if (tokenIdOfAnyParticipant > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfParticipant();

}

if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {

revert ChoosingRam__CallerIsNotChallenger();

}

+ if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram == ramNFT.getCharacteristics(tokenIdOfAnyParticipant).ram) {

+ revert("Challenger shouldn't be any participant");

+ }

if (block.timestamp > 1728691200) {

revert ChoosingRam__TimeToBeLikeRamFinish();

}

uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;

if (random == 0) {

if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);

selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;

}

} else {

if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isJitaKrodhah == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, false, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isDhyutimaan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isVidvaan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isAatmavan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, true, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isSatyavaakyah == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, true, true);

selectedRam = ramNFT.getCharacteristics(tokenIdOfAnyParticipant).ram;

}

}

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Challenge themselves

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.