Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

Race Condition Transfer Attack

Vulnerability Details:

The exploitable vulnerability in the resolveTrick function relies on the logical error concerning how _transfer is called and processed without first withdrawing and resetting relevant state variables (pendingNFTs[tokenId], pendingNFTsAmountPaid[tokenId], tokenIdToTreatName[tokenId]) or performing state checks that guarantee the transfer's preconditions are met and unchangeable after the transfer.

Step-by-Step Exploitation:

  1. Preparation and Initial Purchase Intent: The attacker first observes a transaction where a legitimate buyer triggers the resolveTrick function and determines to partially pay for an NFT (tokenId) with an insufficient amount to trigger premature NFT transfer.

  2. Race to Reuse TokenId: The attacker watches the Ethereum mempool for transactions from the legitimate buyer calling resolveTrick. Before the legitimate buyer's transaction is mined and included in a block, the attacker initiates another transaction calling the same resolveTrick function with the same tokenId, paying enough to fulfill the requiredCost.

  3. Transaction Mining Order Ambiguity: If the attacker’s transaction is mined and processed before the legitimate buyer’s transaction, the following situation unfolds:

    • The resolveTrick checks pass for the attacker since the pendingNFTs[tokenId] still points to the legitimate buyer (misconfiguration or lag in updating this state variable might prevent immediate updates across nodes).

    • The _transfer method inside resolveTrick will transfer ownership of the NFT to the attacker. Since the attacker's transaction met the ETH amount check (totalPaid >= requiredCost), the transfer executes successfully.

  4. Final State and Outcome: Once mined:

    • If the attacker's transaction is processed first, the attacker receives the NFT.

    • The subsequent processing of the legitimate buyer’s transaction might either fail (due to changed ownership checks within the _transfer method if implemented) or due to changes in pendingNFTs[tokenId] (if it gets updated before this transaction gets processed), making it impossible for the legitimate buyer to claim the NFT.

    • The attacker can now resell the NFT or reap benefits that were meant for the legitimate initial buyer.

Concluding Thoughts:

This exploit relies on a race condition facilitated by poor practices in handling state updates and mutations after performing sensitive operations such as NFT transfers. Resolving this issue requires restructuring the operations to assure all state checks and balances are updated or verified immediately before changing ownership and critical response operations like transferring assets. Additionally, considering stringent checks on transaction atomicity and conditions could prevent such exploitation.

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.