Wrong hash for treasure checked in claim function
Wrong hash claimed in the claim function leading to a douple spend or replay
Description
-
There is use of the variable '_treasureHash' in the 'claim()' function to check if it was already claimed and thereby prevent a replay attack.
-
The issue however is that the '_treasureHash' variable is never set and the '_markClaimed' mapping uses 'treasureHash' which is a totally diffrent variable
-
Since the variable is never set, it defaults to 0x0 and when claiming, the function always asks if 0x0 has been claimed. After the first claim of any treasure, claimed[0x0] becomes true thereby blocking other claims and the actual treasure parameter is never checked, allowing the same treasure to be claimed mutliple times
Risk
Likelihood:
Since the check to prevent already claimed treasuries from being claimed again is faulty, there is as a result no way of stopping treasuries from being reclaimed as many times as possible by malicious users
Impact:
Every treasure can be drained as a direct conseqeunce of these poor checks
Proof of Concept
The following proof of concept explains the attack above
Recommended Mitigation
The mitigation is simple, simply do the right check for the correct variable
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.