First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Malicious Users can easily become `selectedRam` which discourages other users from participating

codexbugmenot

Summary

Anyone can create multiple aliases and can get two Ram NFT's and then they can challenge themselves by calling ChoosingRam::increaseValuesOfParticipants multiple times making one of their NFTs get all characteristics and even become selected ram

Vulnerability Details

A Player gets two NFTs
The Player calls ChoosingRam::increaseValuesOfParticipants multiple times with his NFT tokenIds's as args
with a minimum of 5 transactions and a maximum of 10 transactions, one of his NFT's will become selectedRam
Now when Dussehra Muhurat starts he can kill Ravan and withdraw his rewards

Impact

The Protocol is designed as a raffle among the participants which gives half of the amount as a fee to the organiser and the other half to the winner but if a person can become selectedRam almost as soon as the protocol is deployed then no more players will enterPeopleWhoLikeRam as there will be no rewards pot for them.

Tools Used

Manual Review

Recommendations

The protocol is designed for a player to challenge other tokenId's with ChoosingRam::increaseValuesOfParticipants but anyone can have multiple aliases and can own multiple nft's hence it would be a better design if there is a selected ram array where all the addresses which own the NFT with all characteristics true can be stored and once the time to be like ram finishes organiser can select Ram.

This way players are encouraged to get Characteristics to be included in the RamArray and
the organiser can selectRam randomly from those who have all characteristics.

make the following changes in ChoosingRam.sol

// SPDX-License-Identifier: MIT

pragma solidity 0.8.20;

import {RamNFT} from "./RamNFT.sol";

contract ChoosingRam {

error ChoosingRam__InvalidTokenIdOfChallenger();

error ChoosingRam__InvalidTokenIdOfPerticipent();

error ChoosingRam__TimeToBeLikeRamFinish();

error ChoosingRam__CallerIsNotChallenger();

error ChoosingRam__TimeToBeLikeRamIsNotFinish();

error ChoosingRam__EventIsFinished();

bool public isRamSelected;

RamNFT public ramNFT;

address public selectedRam;

+ address[] public RamArray;

modifier RamIsNotSelected() {

require(!isRamSelected, "Ram is selected!");

}

modifier OnlyOrganiser() {

require(ramNFT.organiser() == msg.sender, "Only organiser can call this function!");

}

constructor(address _ramNFT) {

isRamSelected = false;

ramNFT = RamNFT(_ramNFT);

}

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent)

public

RamIsNotSelected

{

if (tokenIdOfChallenger > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfChallenger();

}

if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {

revert ChoosingRam__InvalidTokenIdOfPerticipent();

}

if (ramNFT.getCharacteristics(tokenIdOfChallenger).ram != msg.sender) {

revert ChoosingRam__CallerIsNotChallenger();

}

if (block.timestamp > 1728691200) {

revert ChoosingRam__TimeToBeLikeRamFinish();

}

uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao, msg.sender))) % 2;

if (random == 0) {

if (ramNFT.getCharacteristics(tokenIdOfChallenger).isJitaKrodhah == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, false, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isDhyutimaan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isVidvaan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isAatmavan == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, false);

} else if (ramNFT.getCharacteristics(tokenIdOfChallenger).isSatyavaakyah == false) {

ramNFT.updateCharacteristics(tokenIdOfChallenger, true, true, true, true, true);

- selectedRam = ramNFT.getCharacteristics(tokenIdOfChallenger).ram;

+ RamArray.push(ramNFT.getCharacteristics(tokenIdOfChallenger).ram);

}

} else {

if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isJitaKrodhah == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, false, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isDhyutimaan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, false, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isVidvaan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, false, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isAatmavan == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, false);

} else if (ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).isSatyavaakyah == false) {

ramNFT.updateCharacteristics(tokenIdOfAnyPerticipent, true, true, true, true, true);

- selectedRam = ramNFT.getCharacteristics(tokenIdOfAnyPerticipent).ram;

+ RamArray.push(ramNFT.getCharacteristics(tokenIdOfChallenger).ram);

}

function selectRamIfNotSelected() public RamIsNotSelected OnlyOrganiser {

if (block.timestamp < 1728691200) {

revert ChoosingRam__TimeToBeLikeRamIsNotFinish();

}

if (block.timestamp > 1728777600) {

revert ChoosingRam__EventIsFinished();

}

+ if (RamArray.length == 0) {

+ uint256 random = uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % RamArray.length;

+ selectedRam = RamArray[random];

+ isRamSelected = true;

+ } else {

uint256 random =

uint256(keccak256(abi.encodePacked(block.timestamp, block.prevrandao))) % ramNFT.tokenCounter();

selectedRam = ramNFT.getCharacteristics(random).ram;

isRamSelected = true;

+ }

}

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Challenge themselves

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.