Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Pending Mechanism Abuse

edmpulasky

Summary

As random = 2 costMultiplierNumerator=2 and costMultiplierDenominator, allows malicious users to make treats:Pending of any price over an unlimited times.

Vulnerability Details

Due to deterministic randomness SpookySwap:random, malicious users can set aside continuously any amount of treats by sending 0 ether on SpookySwap:trickOrTreat if random = 2. they might not have the intention of SpookySwap:resolveTrick but are overloading the protocol, abusing the pending mechanism.

Impact

Although it does not affect Owner fee collect, the lack of minimun value allows them to overload the protocol.

Tools Used

  • Manual Review

  • Foundry testing tool

When a Treat is set as pending it emits the Swapped Event.

function testDOSonPendingMechanism() public {
protocol.addTreat("candy", 1 ether, "uri1");
uint256 tokenId = protocol.nextTokenId();
uint256 random;
//look for random value equals to 2
while (true) {
uint256 timestramp = block.timestamp;
random = uint256(keccak256(abi.encodePacked(timestramp, address(user), tokenId, block.prevrandao))) % 1000 + 1;
if (random == 2) {
break;
}
vm.warp(timestramp + 1);
}
vm.prank(user);
vm.expectEmit();
emit Swapped(address(user), "candy", tokenId);
//call with zero value
protocol.trickOrTreat{ value: 0 }("candy");
}

Recommendations

  1. Minimum payment required

  2. Rate Limiting: a mechanism to limit the amount of pending items

Updates

Appeal created

bube Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] Unlimited pending NFTs

The protocol can work correctly with more than 20000 tokens in it. It is informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.