Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 97/283
Findings: 1
Award: $64.39
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DarkTower
Also found by: 0brxce, 0xBinChook, 0xCiphky, 0xDetermination, 0xLogos, Aymen0909, BARW, BoRonGod, Kow, Krace, MrPotatoMagic, PedroZurdo, Tricko, Zac, ZanyBonzy, alexxander, bhilare_, djxploit, evmboi32, grearlake, haxatron, immeas, jnforja, ke1caM, klau5, rouhsamad, sashik_eth, sl1, solmaxis69, ubl4nk, web3pwn, zxriptor
64.3894 USDC - $64.39
claimRewards lacks the proper validation for winners, resulting in a winner potentially being able to call the function multiple times and mint a new fighter.
This vulnerability exists whether you've won and claimed a round but for this example you haven't. Given you've never won and claimed a round, and there have been 2 rounds thus far. If you win in round 3, you are able to call claimRewards successfully 3 times.
This is because the lowerBound is set by the number of rounds you've won and claimed. https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/MergingPool.sol#L148-L149
As a result you'll pass the subsequent checks given msg.sender is in winnerAddress[currentRound][j] https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/MergingPool.sol#L151
Manual Review
Implement a check that limits the amount of times a winner can call claimReward to the amount of rewards they have unclaimed
Invalid Validation
#0 - c4-pre-sort
2024-02-22T09:30:12Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-22T09:30:21Z
raymondfam marked the issue as duplicate of #37
#2 - c4-judge
2024-03-07T02:44:45Z
HickupHH3 marked the issue as satisfactory