The protocol maintains an internal ownership registry (RapperStats.stats
table) that tracks NFT ownership separately from actual token objects. This creates a critical vulnerability where the internal registry can become desynchronized from actual token ownership, leading to users losing access to their NFTs in staking and battle functions.
When NFTs are transferred outside the protocol's controlled functions, the internal registry becomes outdated while the actual token ownership changes, resulting in users being unable to stake or battle with their legitimate NFTs.
Likelihood:
NFTs can be transferred directly via object::transfer, bypassing the protocol's internal registry
Users may accidentally transfer NFTs outside the protocol's controlled functions
The internal registry has no mechanism to sync with actual token ownership
Impact:
Users lose access to staking and battle functionality for their legitimate NFTs
Ownership disputes between internal registry and actual token ownership
Protocol dysfunction as core features become unreliable
This PoC demonstrates how the ownership registry becomes desynchronized:
The mitigation implements a synchronization mechanism to keep the internal registry aligned with actual token ownership:
This mitigation adds a synchronization mechanism that updates the internal ownership registry whenever token ownership changes, ensuring the registry always reflects the actual token owner.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.