First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

User can play still he/she becomes selected ram

josh4324

Summary

The function ChoosingRam::increaseValuesOfParticipants is designed to allow a challenger to compete against another user, with the winner's characteristics being updated. However, there is a vulnerability that allows an attacker to exploit the function by passing their token ID for both tokenIdOfChallenger and tokenIdOfAnyPerticipent. This allows the attacker to continuously call the function and ensure they are the selected Ram, thereby manipulating the competition and winning.

Vulnerability Details

Function Affected: ChoosingRam::increaseValuesOfParticipants

Parameters: tokenIdOfChallenger, tokenIdOfAnyPerticipent

Issue: The function does not validate that tokenIdOfChallenger and tokenIdOfAnyPerticipent are different, allowing users to pass the same token ID for both parameters.

Exploitation: An attacker can exploit this by repeatedly calling the function with the same token ID for both parameters, ensuring that they win and become the Ram.

Impact

The vulnerability undermines the fairness of the competition by allowing attackers to guarantee wins and continuously improve their characteristics without legitimate competition.

POC

function test_increaseValuesOfParticipants1() public participants {

vm.startPrank(player1);

choosingRam.increaseValuesOfParticipants(0, 0);

vm.stopPrank();

assertEq(ramNFT.getCharacteristics(0).isSatyavaakyah, true);

}

Tools Used

Manual Review

Recommendations

To address this vulnerability, the increaseValuesOfParticipants function should be modified to include a validation check ensuring that tokenIdOfChallenger and tokenIdOfAnyPerticipent are not the same. This will prevent users from exploiting the function by competing against themselves.

function increaseValuesOfParticipants(uint256 tokenIdOfChallenger, uint256 tokenIdOfAnyPerticipent) external {

require(tokenIdOfChallenger != tokenIdOfAnyPerticipent, "Challenger and participant cannot be the same token");

// Existing logic for increasing values

}

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Challenge themselves

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.