Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Exploitable Discount Mechanism in NFT Minting

viktorcortess

Summary

This report identifies a vulnerability in the SpookySwap contract, where a motivated attacker (referred to as Bob) can manipulate the random discount mechanism in the trickOrTreat function to acquire NFTs at half price. By carefully controlling msg.value and leveraging revert conditions on refunds, Bob can attempt to benefit from the discounted price condition (random == 1) while avoiding the other pricing scenarios. This exploit requires no more than 1000 attempts on average, and it leads to potential revenue loss for the contract owner.

Vulnerability Details

The vulnerability arises from the pseudo-random pricing logic in the trickOrTreat function. This function sets a requiredCost depending on a random condition:

With a 1/1000 chance, the price is halved (when random == 1).
With another 1/1000 chance, the price doubles (when random == 2).
In all other cases, the standard price applies.

Bob’s attack strategy is as follows:

Avoidance of random == 2: Bob does not want random == 2, as this would result in the NFT being minted for the contract itself, requiring him to pay the remaining amount later to claim it. To counter this, Bob increases his msg.value to 300% of the NFT cost and implements a revert condition in his contract to withdraw from the transaction if the refund is exactly 100% of the NFT cost, which occurs under the random == 2 condition.
Avoidance of Standard Pricing: To prevent minting at the standard price, Bob also adds a revert condition in his contract to cancel the transaction if the refund is 200% of the NFT cost, which indicates standard pricing.

By adopting this approach, Bob guarantees that only transactions resulting in a 50% price discount (random == 1) are completed, maximizing his chances of purchasing the NFT at a discount.

Impact

The impact of this vulnerability is significant. By executing this strategy:

Bob can exploit the contract’s pseudo-random pricing system, resulting in financial losses to the contract owner.
Given that the likelihood of obtaining a discount is 1/1000, Bob can make repeated attempts (up to 1000 on average) with minimal gas cost until he secures the NFT for half the price.
This undermines the intended random price structure and could lead to revenue loss and reputational damage for the contract owner.

Tools Used

vscode

Recommendations

Limit Refunds to Discounted Purchases: Enable automatic refunds only for successful purchases made at a 50% discount (random == 1). This ensures that transactions under standard or double-price conditions do not interact with Bob’s contract through call, as they will not issue refunds.

Updates

Appeal created

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.