First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`ChoosingRam::increaseValuesOfParticipants` do not check properly the tokenID, any user can fight against a non-existing token.

n0kto

Description

ChoosingRam::increaseValuesOfParticipants accepts any token in parameters if they pass those condition:

First token is owned by the caller.
Used tokens have an id lower than the tokenCounter

Problem is, the tokenIdOfAnyPerticipent can be equal to tokenCounter and this counter return the next id to be minted. Then the token with this ID do not exists.

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)

public

RamIsNotSelected

{

if (tokenIdOfChallenger > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfChallenger();

}

@> if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfPerticipent();

}

Since the other function like getCharacteristics do not check if a token exists, anyone can fight against a non-existing token and increase its values.
But when the new token will be refreshed at the minting process, mitigating a part of this bug, but allowing anyone to take no risk at all to become Ram easier.

function mintRamNFT(address to) public {

uint256 newTokenId = tokenCounter++;

_safeMint(to, newTokenId);

Characteristics[newTokenId] = CharacteristicsOfRam({

ram: to,

isJitaKrodhah: false,

isDhyutimaan: false,

isVidvaan: false,

isAatmavan: false,

isSatyavaakyah: false

});

}

Risk

Likelyhood: High

Anyone can call increaseValuesOfParticipants with a non-existing tokenIdOfAnyPerticipent.

Impact: High

Permits to fight a non-existing token and increase values of the attacker token without any risk.

Recommended Mitigation

Correct the wrong lines:

- if (tokenIdOfChallenger > ramNFT.tokenCounter()) {

+ if (tokenIdOfChallenger >= ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfChallenger();

}

- if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {

+ if (tokenIdOfAnyPerticipent >= ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfPerticipent();

}

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

The token counter check is incorrect

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!