Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

[EVMN] NFTs Held Hostage

Summary

A number of NFTs can be held hostage by a user who has no genuine intent to purchase.

Vulnerability Details

The code on lines 85-87 indicates that a newly generated NFT will be temporarily held by the contract if the user (the caller) gets a trick where the NFT price doubles (i.e., costMultiplierNumerator == 2) and the amount of native asset paid by the user is less than the doubled price. It is expected that the user later calls function resolveTrick() to pay the remaining amount and the NFT will be released to the user.

This logic can be weaponised by a malicious user. Consider the following steps:

  1. The user calls trickOrTreat() and guesses the random value, expecting a trick. The user sends an amount of msg.value that is much less than the requiredCost.

  2. The user repeats step 1 as many as possible (e.g., x times).

  3. The user never calls resolveTrick().

As the result, there are x NFTs stuck on the contract, that is held hostage by the user, because the user is the only party that can release the NFTs from the contract.

Impact

NFTs potentially gets stuck on the contract.

Tools Used

Manual review.

Recommendations

Consider adding a deadline which allows the owner to release the NFTs after the deadline expires.

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] Unlimited pending NFTs

The protocol can work correctly with more than 20000 tokens in it. It is informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.