Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

tricked or Treated for Free

edmpulasky

Summary

Treats with 1 wei cost, spooked at random = 1 => requiredCost:half-price are rounded to zero, leading to free tricks.

Vulnerability Details

By predicting random = 1 SpookySwap:trickOrTreat malicious users can buy Treats for free, due to divisions are exact in solidity 1/2 will be rounded as 0, doing so requiredCostto be 0, enabling free purchases, notice that Treats can be repriced and traded at higher prices.

// requiredCost = 1 * 1 / 2 -> 0.5 -> 0

- uint256 requiredCost = (treat.cost * costMultiplierNumerator) / costMultiplierDenominator;

Impact

This vulnerability only affects 1 wei per free purchase, it can be though considered as high knowing that along the time it's cumulative, which will affect withdrawFees.

Tools Used

Manual Review
Foundry Fuzz Testing
Certora (proof rule: users should pay for tricksOrTreats)

function testTreatsAt1WeiForFree() public {

protocol.addTreat("candy", 1 wei, "uri1");

uint256 nextTokenId = protocol.nextTokenId();

//predict random = 1

uint256 random;

while (true) {

uint256 timestramp = block.timestamp;

random = uint256(keccak256(abi.encodePacked(timestramp, address(user), nextTokenId, block.prevrandao))) % 1000 + 1;

if (random == 1) {

break;

}

vm.warp(timestramp + 1);

}

uint256 balanceBefore = address(user).balance;

vm.prank(user);

//trickOrTreat a 1 wei-cost Treat for free

protocol.trickOrTreat{ value: 1 ether }("candy");

//balance before and after equality user refunded (1 ether)

assert(address(user).balance == balanceBefore);

}

Recommendations

Usage of fixed-point arithmetic
Beware of precision loss

Updates

Appeal created

bube Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Very small cost

In case of treat, if the cost of the treat is very small, the user can get NFT for zero `requiredCost` due to rounding. Also, if the cost is small and odd, the user may get a given NFT at a lower price than intended.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.