One Shot: Reloaded

First Flight #47

Beginner FriendlyNFT

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: medium

[L-03] No Maximum Battle Bet Limit

Author Revealed upon completion

Root + Impact

Description

The battle system doesn't impose any maximum bet limit, which could lead to very large bets straining the system or causing integer overflow issues. The go_on_stage_or_battle function accepts any bet amount without upper bounds.

This lack of validation could allow users to place extremely large bets that may exceed system limits or create economic imbalances.

// In rap_battle.move

@> public entry fun go_on_stage_or_battle(

@> player: &signer,

@> rapper_token: Object<Token>,

@> bet_amount: u64 // No upper limit

@> ) acquires BattleArena {

Risk

Likelihood:

Users could submit extremely large bets
No protection against economic imbalance
Potential for system strain

Impact:

System strain from large bet amounts
Potential integer overflow in calculations
Economic imbalance in the protocol

Proof of Concept

This PoC demonstrates the lack of bet limits:

// Demonstrate unlimited betting scenario

let user = account::create_account_for_test(@user_addr);

let token = /* valid Rapper token */;

// Extremely large bet possible

let max_u64 = 18446744073709551615; // Max u64 value

rap_battle::go_on_stage_or_battle(&user, token, max_u64);

// Result:

// - Prize pool could reach max_u64 * 2 (defender + challenger)

// - Potential overflow in calculations

// - Economic imbalance in the protocol

Recommended Mitigation

The mitigation adds reasonable bet limits to prevent system strain:

+ const MAX_BET_AMOUNT: u64 = 1000000; // 1 million CRED

+ const E_BET_TOO_HIGH: u64 = 12;

public entry fun go_on_stage_or_battle(

player: &signer,

rapper_token: Object<Token>,

bet_amount: u64

) acquires BattleArena {

+ assert!(bet_amount <= MAX_BET_AMOUNT, E_BET_TOO_HIGH);

// ... rest of function

}

This limit prevents extremely large bets while maintaining reasonable gameplay.

Rewards breakdown

nSLOC

436

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.