Submission Details
Severity:
Invalid tokenId
Summary
An invalid tokenId can be passed to the ChoosingRam::increaseValuesOfParticipants function as the tokenIdOfAnyPerticipent parameter.
Vulnerability Details
The function ChoosingRam::increaseValuesOfParticipants checks whether a tokenId is valid, but an invalid tokenId can still be passed as a parameter.
Code
function test_InvalidTokenIds() public Moreparticipants {
// valid tokenIds are 0,1,2.
vm.startPrank(player1);
choosingRam.increaseValuesOfParticipants(0, 3);
choosingRam.increaseValuesOfParticipants(0, 3);
choosingRam.increaseValuesOfParticipants(0, 3);
choosingRam.increaseValuesOfParticipants(0, 3);
choosingRam.increaseValuesOfParticipants(0, 3);
vm.stopPrank();
}
Impact
The selected ram could be the zero address, leading to funds getting stuck in the contract.
Tools Used
Manual analysis
Recommendations
Enforce stricter constraints on the tokenIds of participants in the ChoosingRam::increaseValuesOfParticipants function.
- if (tokenIdOfChallenger > ramNFT.tokenCounter()) {
+ if (tokenIdOfChallenger >= ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfChallenger();
}
- if (tokenIdOfAnyPerticipent > ramNFT.tokenCounter()) {
+ if (tokenIdOfAnyPerticipent >= ramNFT.tokenCounter()) {
revert ChoosingRam__InvalidTokenIdOfPerticipent();
}
Updates
Lead Judging Commences
bube about 1 year ago
Submission Judgement Published Assigned finding tags:
The token counter check is incorrect
Rewards breakdown
nSLOC
218This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.