One Shot: Reloaded

First Flight #47
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Severity: high
Valid

[L-02] No Validation of Token Authenticity in Battle Functions

Root + Impact

Description

The battle system accepts any Object without verifying it belongs to the "Rappers" collection, allowing users to submit non-Rapper tokens for battles. This creates a vulnerability where invalid or malicious tokens could be used in the battle system.

The go_on_stage_or_battle function doesn't validate that the provided token is an authentic Rapper NFT from the correct collection, potentially allowing any token object to be used.

// In rap_battle.move
@> public entry fun go_on_stage_or_battle(
@> player: &signer,
@> rapper_token: Object<Token>, // No collection validation
@> bet_amount: u64
@> ) acquires BattleArena {

Risk

Likelihood:

  • Users could accidentally submit wrong tokens

  • Malicious actors could attempt to use invalid tokens

  • The validation check is missing entirely

Impact:

  • Battle system could accept invalid tokens

  • Potential confusion and user errors

  • Reduced protocol integrity

Proof of Concept

This PoC demonstrates how invalid tokens could be submitted:

// Attack scenario with invalid token
let invalid_token = /* any non-Rapper Token object */;
let user = account::create_account_for_test(@user_addr);
// Invalid token could be submitted
rap_battle::go_on_stage_or_battle(&user, invalid_token, 100);
// The function would accept this token without validation
// Result: Non-Rapper NFTs could participate in battles
// This breaks the game's integrity and rules

Recommended Mitigation

The mitigation adds validation to ensure only authentic Rapper NFTs can participate:

+ const E_INVALID_TOKEN: u64 = 11;
+
public entry fun go_on_stage_or_battle(
player: &signer,
rapper_token: Object<Token>,
bet_amount: u64
) acquires BattleArena {
+ let token_metadata = token::metadata(rapper_token);
+ assert!(token_metadata.collection_name == string::utf8(b"Rappers"), E_INVALID_TOKEN);
+
// ... rest of function
}

This validation ensures only tokens from the official "Rappers" collection can participate in battles.

Updates

Lead Judging Commences

bube Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Malicious player can call `go_on_stage_or_battle` function with non-rapper NFT

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.