SNARKeling Treasure Hunt

First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
Submission Details
Impact: high
Likelihood: high

Wrong hash for treasure checked in claim function

Author Revealed upon completion

Wrong hash claimed in the claim function leading to a douple spend or replay

Description

  • There is use of the variable '_treasureHash' in the 'claim()' function to check if it was already claimed and thereby prevent a replay attack.

  • The issue however is that the '_treasureHash' variable is never set and the '_markClaimed' mapping uses 'treasureHash' which is a totally diffrent variable

  • Since the variable is never set, it defaults to 0x0 and when claiming, the function always asks if 0x0 has been claimed. After the first claim of any treasure, claimed[0x0] becomes true thereby blocking other claims and the actual treasure parameter is never checked, allowing the same treasure to be claimed mutliple times

@> if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);

Risk

Likelihood:

  • Since the check to prevent already claimed treasuries from being claimed again is faulty, there is as a result no way of stopping treasuries from being reclaimed as many times as possible by malicious users

Impact:

  • Every treasure can be drained as a direct conseqeunce of these poor checks

Proof of Concept

The following proof of concept explains the attack above

Alice claims treasure hash 0xabc123... → passes (since claimed[0x0] is false)
claimed[0x0] is set to true
Bob tries to claim treasure hash 0xdef456... → reverts (because claimed[0x0] is now true)
But Alice could claim 0xabc123... again with a new valid proof since claimed[0xabc123...] was never actually checked

Recommended Mitigation

The mitigation is simple, simply do the right check for the correct variable

- if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);
+ if (claimed[treasureHash]) revert AlreadyClaimed(treasureHash);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!