Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

User may cost more token

yxsec

Description of the Code Vulnerability

The vulnerability in the Solidity contract's function resolveTrick is related to the unauthorized change of the requiredCost without proper updating mechanisms to previously initiated purchase agreements (i.e., in pendingNFTsAmountPaid).

The function relies on a dynamic calculation of the requiredCost (treat.cost * 2), which is directly tied to the treat associated with the tokenId. If the treat's cost associated with a specific tokenId is changed after a user initiates a purchase but before they complete it, it can put the user in a position where the requiredCost becomes unexpectedly higher. This can happen especially if additional msg.value (ETH) sent aligns with a previously accurate price but becomes insufficient due to a change in treat.cost.

Step-by-Step Exploit Scenario

Initial Scenario Setup:
- Assume a user initiates the purchase of a Treat (represented by a tokenId) whose original cost is X ETH. Therefore, the initially computed requiredCost would be 2X ETH.
- The user sends a portion of the cost, say X ETH, which is stored in pendingNFTsAmountPaid[tokenId].
Cost Amendment by Contract Owner/Admin:
- Before the user sends the remainder of the required ETH, the treat.cost for the specific tokenId is updated by the contract owner or through another function in the contract, changing treat.cost from X to 2X. Now, the new requiredCost expected becomes 4X ETH.
User Completes the Purchase:
- The user, unaware of the change in pricing, sends an additional X ETH to complete the assumed 2X ETH total price.
- The function now evaluates the total paid (2X ETH from pendingNFTsAmountPaid[tokenId] + X ETH msg.value) against the new requiredCost (4X ETH), and finds it insufficient.
Resulting in Denial of Service or Loss of Funds:
- The user has now paid 3X ETH but cannot complete the purchase due to the new requiredCost of 4X ETH, leading to either a need for an additional payment or possible loss of funds if the user decides against continuing the purchase.

Explanation

This vulnerability leaves room for unexpected behavior and potential financial loss for users, contingent on external control over the cost parameter of a treat. A suitable fix would involve locking the price at the time of initial payment or implementing mechanisms that ensure users are informed and consent to new prices before additional payments are made. This exploit outlines how a seemingly fair transaction becomes unfair due to unannounced changes in transaction terms, directly impacting user trust and contract integrity.

Updates

Appeal created

bube Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] Change cost between the call of trickOrTreat and resolveTrick

Only the owner has the rights to change the cost of the treat. Therefore it is assumed that the owner will not change the cost of the pending NFTs. The owner role is trusted.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.