Submission Details
Severity:
Even if a player manages to be selected as Ram by increasing his value, the organizer can select another Ram
Summary
Even if a player manages to be selected as Ram by increasing his value, it is not possible to kill Ravana.
Vulnerability Details
In the function ChoosingRam.increaseValuesOfParticipants, when a player increases his value and manages to be selected as Ram, the variable isRamSelected is never set to true. Therefore, it is impossible to kill Ravana. Additionally, the organizer can change the winner by calling choosingRam.selectRamIfNotSelected(), even if there is already a selected Ram.
If Organiser doesn't selected Ram,It won't be possible to kill Ravana
Impact
The selected Ram can lose his reward if the organizer calls choosingRam.selectRamIfNotSelected().
Code Example
This code should be added to the smart contract Dussehra.sol#CounterTest:
function test_isRamSelected_flag_never_true() public participants {
// Increase the value to be selected as Ram
vm.startPrank(player1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.warp(block.timestamp + 1);
choosingRam.increaseValuesOfParticipants(0, 0);
vm.stopPrank();
// Player 1 is the selected Ram
assertEq(ramNFT.getCharacteristics(0).isSatyavaakyah, true);
assertEq(choosingRam.selectedRam(), address(player1));
// Check if the Ram is selected; we see that Ram is not selected even if we have an address selected as Ram in choosingRam
assertEq(choosingRam.isRamSelected(), false);
// Killing Ravana is not possible even if the user manages to be selected as Ram by increasing his value
vm.warp(1728691200 + 1);
vm.startPrank(player1);
vm.expectRevert();
dussehra.killRavana();
vm.stopPrank();
// Organizer can select a new Ram even if we already have one
vm.startPrank(organizer);
choosingRam.selectRamIfNotSelected();
vm.stopPrank();
assertEq(choosingRam.selectedRam(), address(player2));
}
Result
Even we have a Ram selected , it is not possible to kill Ravana during the Event
forge test --mt test_isRamSelected_flag_never_true
[⠊] Compiling...
No files changed, compilation skipped
Ran 1 test for test/Dussehra.t.sol:CounterTest
[PASS] test_isRamSelected_flag_never_true() (gas: 449405)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 11.66ms (806.96µs CPU time)
Tools Used
Manual review.
Recommendations
Fix the error in the code
function increaseValuesOfParticipants(
uint256 tokenIdOfChallenger,
uint256 tokenIdOfAnyParticipant // Even if a Ram is already selected, the user can still call this function
)
public
RamIsNotSelected
{
if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
if (tokenIdOfAnyParticipant > ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfParticipant();
}
if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {
revert ChoosingRam__CallerIsNotChallenger();
}
if (block.timestamp > 1728691200) {
revert ChoosingRam__TimeToBeLikeRamFinish();
}
uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;
if (random == 0) {
if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false) {
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false) {
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false) {
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false) {
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);
} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false) {
ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);
selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;
+ isRamSelected = true;
}
} else {
if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isJitaKrodhah == false) {
ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, false, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isDhyutimaan == false) {
ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, false, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isVidvaan == false) {
ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, false, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isAatmavan == false) {
ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, true, false);
} else if (ramNFT.getCharacteristics(tokenIdOfAnyParticipant).isSatyavaakyah == false) {
ramNFT.updateCharacteristics(tokenIdOfAnyParticipant, true, true, true, true, true);
selectedRam = ramNFT.getCharacteristics(tokenIdOfAnyParticipant).ram;
+ isRamSelected = true;
}
}
}
Updates
Lead Judging Commences
bube about 1 year ago
Submission Judgement Published Assigned finding tags:
`isRamSelected` is not set
Rewards breakdown
nSLOC
218This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.