One Shot: Reloaded

First Flight #48
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Severity: high
Valid

[L-02] No Validation of Token Authenticity in Battle Functions

Root + Impact

Description

The battle system accepts any Object without verifying it belongs to the "Rappers" collection, allowing users to submit non-Rapper tokens for battles. This creates a vulnerability where invalid or malicious tokens could be used in the battle system.

The go_on_stage_or_battle function doesn't validate that the provided token is an authentic Rapper NFT from the correct collection, potentially allowing any token object to be used.

// In rap_battle.move
@> public entry fun go_on_stage_or_battle(
@> player: &signer,
@> rapper_token: Object<Token>, // No collection validation
@> bet_amount: u64
@> ) acquires BattleArena {

Risk

Likelihood:

  • Users could accidentally submit wrong tokens

  • Malicious actors could attempt to use invalid tokens

  • The validation check is missing entirely

Impact:

  • Battle system could accept invalid tokens

  • Potential confusion and user errors

  • Reduced protocol integrity

Proof of Concept

This PoC demonstrates how invalid tokens could be submitted:

// Attack scenario with invalid token
let invalid_token = /* any non-Rapper Token object */;
let user = account::create_account_for_test(@user_addr);
// Invalid token could be submitted
rap_battle::go_on_stage_or_battle(&user, invalid_token, 100);
// The function would accept this token without validation
// Result: Non-Rapper NFTs could participate in battles
// This breaks the game's integrity and rules

Recommended Mitigation

The mitigation adds validation to ensure only authentic Rapper NFTs can participate:

+ const E_INVALID_TOKEN: u64 = 11;
+
public entry fun go_on_stage_or_battle(
player: &signer,
rapper_token: Object<Token>,
bet_amount: u64
) acquires BattleArena {
+ let token_metadata = token::metadata(rapper_token);
+ assert!(token_metadata.collection_name == string::utf8(b"Rappers"), E_INVALID_TOKEN);
+
// ... rest of function
}

This validation ensures only tokens from the official "Rappers" collection can participate in battles.

Updates

Lead Judging Commences

bube Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Malicious player can call `go_on_stage_or_battle` function with non-rapper NFT

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.