MyCut

AI First Flight #8

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing checks for ContestManager::getContestRemainingRewards and ContestManager::closeContest

ssap

Missing checks in function ContestManager::getContestRemainingRewards and ContestManager::closeContest which can cause malicious code to be executed.

Description

The functions ContestManager::getContestRemainingRewardsand ContestManager::closeContestdoes not check incoming address of contract whether it is a Pot that is part of its management and execute code from the contract. This allows any code that follows the name to be able to execute.

function closeContest(address contest) public onlyOwner {

_closeContest(contest);

}

function getContestRemainingRewards(address contest) public view returns (uint256) {

Pot pot = Pot(contest);

return pot.getRemainingRewards();

}

Risk

Likelihood:

Malicious user can freely call ContestManager::getContestRemainingRewardsor ContestManager::closeContestand pass in their own contract to run their own malicious code

Impact:

Malicious code can be exectued by the external contract as long as they provide either function.

Proof of Concept

Malicious user create a new contract, implementing closePotfunction or getRemainingRewardsfunction
Call ContestManager::getContestRemainingRewardsor ContestManager::closeContest to execute their wanted malicious code

getRemainingRewardsgetRemainingRewards//paste this function into the test suite

function testCallingMaliciousContract() public {

vm.startPrank(user);

MaliciousPot pot = new MaliciousPot();

ContestManager(conMan).closeContest(address(pot));

vm.stopPrank();

}

//as well as this contract

contract MaliciousPot {

function closePot() external {

console.log("Malicious Code");

}

Recommended Mitigation

Check using the array, whether the address is one of its pot in the management
Check using the mapping of whether there are still funds to know which is active

second solution

+ require(contestToTotalRewards[contest] > 0)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!