Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

The amount for reward or drop is coded wrong

rizdarmwn

Description

The expected behavior is the rewarded amount is 100 - 500 APT Coins, but the amount coded for the drop is 100 to 500 in u64, where that is 0.000001 - 0.000005 APT.

#[randomness]

entry fun get_random_slice(user_addr: address) acquires ModuleData, State {

let state = borrow_global_mut<State>(get_resource_address());

let time = timestamp::now_microseconds();

@> let random_val = time % 401;

@> let random_amount = 100 + random_val; // 100-500 APT (in Octas: 10^8 smallest unit)

table::add(&mut state.users_claimed_amount, user_addr, random_amount);

}

Risk

Likelihood:

Every registered user will be allocated amount between 0.000001 - 0.000005 APT.

Impact:

The business logic itself is invalidated, where it should be 100 - 500 APT.

Proof of Concept

Running the test test_pizza_drop_with_apt will result (assuming the randomness is 383):

[debug] "=== PIZZA DROP WITH APT TEST ==="

[debug] "Pizza drop module initialized"

[debug] "Deployer APT balance: "

[debug] 100000

[debug] "Contract APT balance: "

[debug] 10000

[debug] "User registered successfully"

[debug] "User assigned amount: "

[debug] 383

[debug] "User claimed their slice"

[debug] "User APT balance: "

[debug] 383

[debug] "Final contract balance: "

[debug] 9617

[debug] "Tracked balance: "

[debug] 9617

[debug] "=== PIZZA DROP TEST PASSED! ==="

Where user APT balance is 383 in u64 which means it is 0.00000383 APT.

Recommended Mitigation

Make the number represent 401 APT and 100 APT in random_val and random_amount variables by multiplying it to 100_000_000

#[randomness]

entry fun get_random_slice(user_addr: address) acquires ModuleData, State {

let state = borrow_global_mut<State>(get_resource_address());

let time = timestamp::now_microseconds();

- let random_val = time % 401;

- let random_amount = 100 + random_val; // 100-500 APT (in Octas: 10^8 smallest unit)

+ let random_val = time % 40100000000;

+ let random_amount = 10000000000 + random_val; // 100-500 APT (in Octas: 10^8 smallest unit)

table::add(&mut state.users_claimed_amount, user_addr, random_amount);

}

Updates

Appeal created

bube Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect APT value

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.