One Shot: Reloaded

First Flight #48

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[L-02] No Validation of Token Authenticity in Battle Functions

agilegypsy

Root + Impact

Description

The battle system accepts any Object without verifying it belongs to the "Rappers" collection, allowing users to submit non-Rapper tokens for battles. This creates a vulnerability where invalid or malicious tokens could be used in the battle system.

The go_on_stage_or_battle function doesn't validate that the provided token is an authentic Rapper NFT from the correct collection, potentially allowing any token object to be used.

// In rap_battle.move

@> public entry fun go_on_stage_or_battle(

@> player: &signer,

@> rapper_token: Object<Token>, // No collection validation

@> bet_amount: u64

@> ) acquires BattleArena {

Risk

Likelihood:

Users could accidentally submit wrong tokens
Malicious actors could attempt to use invalid tokens
The validation check is missing entirely

Impact:

Battle system could accept invalid tokens
Potential confusion and user errors
Reduced protocol integrity

Proof of Concept

This PoC demonstrates how invalid tokens could be submitted:

// Attack scenario with invalid token

let invalid_token = /* any non-Rapper Token object */;

let user = account::create_account_for_test(@user_addr);

// Invalid token could be submitted

rap_battle::go_on_stage_or_battle(&user, invalid_token, 100);

// The function would accept this token without validation

// Result: Non-Rapper NFTs could participate in battles

// This breaks the game's integrity and rules

Recommended Mitigation

The mitigation adds validation to ensure only authentic Rapper NFTs can participate:

+ const E_INVALID_TOKEN: u64 = 11;

public entry fun go_on_stage_or_battle(

player: &signer,

rapper_token: Object<Token>,

bet_amount: u64

) acquires BattleArena {

+ let token_metadata = token::metadata(rapper_token);

+ assert!(token_metadata.collection_name == string::utf8(b"Rappers"), E_INVALID_TOKEN);

// ... rest of function

}

This validation ensures only tokens from the official "Rappers" collection can participate in battles.

Updates

Lead Judging Commences

bube Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Malicious player can call `go_on_stage_or_battle` function with non-rapper NFT

Rewards breakdown

nSLOC

436

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.