Aptos Pizza Drop
Cyfrin
Beginner FriendlyGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can call the random slice function to change the amount they get

mgx96

Public Function - High Impact

Description

  • Anyone can call (get_random_slice) .

  • Let's say you gave a pizza lover such as myself 100 slices instead of 500, now I am upset and I can see this vulnerability in your code. And because I am greedy and want 500 slices I would just call this function over and over until I get 500 slices instead of the 100 you gave me.

P.S. I know you will give me 500 slices because now you know I love pizza and you guys are cool!

entry fun get_random_slice(user_addr: address) acquires ModuleData, State {....} // line 121

Risk High

Likelihood: Pretty sure i'm not the only pizza lover who can read code, so it's highly likely

  • Reason 1 // The reason is the lack of proper ownership checks on the function, you need to add a modifier that allows only the contract owner to call this function

  • Reason 2 no other checks or functions that would prevent any registered user from exploiting this function

Impact: High

  • Impact 1: people can manipulate the amount of slices they get ( sorry if I sound repetitive. I'm just not sure how to explain the impacts in a different way :D)

  • Impact 2: would make the competition unfair and might even drain the amount of pizzas so not everyone would get some

Proof of Concept

  • First, we run a local node with the following command

aptos node run-local-testnet --with-faucet

  • Then we initialize 2 accounts by running

aptos init --profile deployer --network local
aptos init --profile user --network local

  • We fund both the accounts

aptos account fund-with-faucet --profile deployer --amount 100000000
aptos account fund-with-faucet --profile user --amount 100000000

  • Then we deploy the PizzaDrop contract using the "deployer" account (had to skip the dependencies update because it wasn't working for me)

aptos move publish --profile deployer --named-addresses pizza_drop=deployer --skip-fetch-latest-git-deps

  • The other account "user" directly calls the "get_random_slice" function without being registered by the owner

aptos move run --function-id deployer::airdrop::get_random_slice --args address:user --profile user

The above steps demonstrates that anyone can self register bypassing owner control, which goes against the competition's rules.

As of now there is only transfer logic without the proper checks to limit who can register, by adding the checks, each function caller will be checked against a list that stores the registered addresses allowing them to call the function

Recommended Mitigation

For this you can either change the visibility of your function to something more restricted or you can add an ownership check where only the contract owner can call it

- remove this code: entry fun get_random_slice(user_addr: address) acquires ModuleData, State{}
+ add this code: fun get_random_slice(user_addr: address) acquires ModuleData, State{} // change the visibility of the function
alternative solution: assert!(signer::address_of(caller) == state.owner, E_NOT_OWNER); // keep the visibility public but add this line to check for ownership, added the same ownership check you had on the "fund_pizza_drop" function
Updates

Appeal created

bube Lead Judge 9 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can call `get_random_slice` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.