AI Arena - 0xweb3boy's results
In AI Arena you train an AI character to battle in a platform fighting game. Imagine a cross between Pokémon and Super Smash Bros, but the characters are AIs, and you can train them to learn almost any skill in preparation for battle.
General Information
Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Findings Distribution
Researcher Performance
Rank: 38/283
Findings: 1
Award: $166.17
🌟 Selected for report: 0
🚀 Solo Findings: 0
Findings Information
🌟 Selected for report: 0xSmartContract
Also found by: 0xAsen, 0xDetermination, 0xStriker, 0xblack_bird, 0xbrett8571, 0xepley, 0xweb3boy, 14si2o_Flint, Bauchibred, DarkTower, JayShreeRAM, JcFichtner, K42, McToady, Myd, PoeAudits, Rolezn, SAQ, ZanyBonzy, aariiif, albahaca, ansa-zanjbeel, cheatc0d3, clara, cudo, dimulski, fouzantanveer, foxb868, hassanshakeel13, hunter_w3b, kaveyjoe, klau5, peanuts, pipidu83, popeye, rspadi, scokaf, shaflow2, tala7985, wahedtalash77, yongskiws
Awards
166.1676 USDC - $166.17
Labels
External Links
AI Arena Analysis
Overview
In the AI Arena - Gaming Competition, participants engage in a dynamic gaming environment where they have the opportunity to purchase, train, and engage in battles with AI-enabled Non-Fungible Tokens (NFTs) within a Player versus Player (PvP) fighting game.
This gaming platform offers a multifaceted experience, where users can acquire NFTs equipped with artificial intelligence capabilities. These NFTs serve as virtual entities that can be nurtured and customized through various training mechanisms, enabling gamers to enhance their abilities and strategize for competitive battles.
Once equipped with their trained NFTs, participants enter the PvP arena, where they engage in thrilling battles against opponents. These battles are characterized by strategic maneuvers, real-time decision-making, and the utilization of unique AI-driven abilities embedded within each NFT.
The AI Arena fosters a competitive gaming atmosphere, where players can showcase their skills, develop effective battle strategies, and strive for victory in exhilarating PvP encounters. Through the integration of AI technology and NFT mechanics, the AI Arena offers a dynamic and immersive gaming experience for enthusiasts seeking engaging and strategic gameplay.
Smart Contracts: Utilizes contracts like RankedBattle.sol which enables users to stake NRN tokens on fighters, monitors battle records, computes and disburses rewards based on battle results and staked quantities, and permits the claiming of accumulated rewards.
Neuron Token:Within the platform, the Neuron token serves multiple purposes, including but not limited to staking, governance participation, and reward distribution..
Risk Management: With the help of StakeAtRisk this smart contract enables the RankedBattle functionality to oversee the staking process of NRN tokens during battle engagements.
Project’s Risk Model
With the help of updateAtRiskRecords() function it updates stake at risk records for a fighter avoiding the risks of unintentional loss of points or NRNs.
function updateAtRiskRecords( uint256 nrnToPlaceAtRisk, uint256 fighterId, address fighterOwner ) external { require(msg.sender == _rankedBattleAddress, "Call must be from RankedBattle contract"); stakeAtRisk[roundId][fighterId] += nrnToPlaceAtRisk; totalStakeAtRisk[roundId] += nrnToPlaceAtRisk; amountLost[fighterOwner] += nrnToPlaceAtRisk; emit IncreasedStakeAtRisk(fighterId, nrnToPlaceAtRisk); }
Minting and Staking Dynamics
NRN which is Neuron Token serves as the central pillar of the AI Arena's economic framework, facilitating the coordination and synchronization of incentives among participants and stakeholders within the system.
Functioning as an in-game utility token, NRN holds significant strategic value within the game, empowering players to optimize their strategies for advancing up the leaderboard in the Arena.
The 2 functions mint() in Neuron.sol and the stakeNRN() in RankedBattle.sol helps user mint and stake their tokens.
Admin abuse risks
Risk of Admin Abuse
function updateBattleRecord( uint256 tokenId, uint256 mergingPortion, uint8 battleResult, uint256 eloFactor, bool initiatorBool ) external { require(msg.sender == _gameServerAddress); require(mergingPortion <= 100); address fighterOwner = _fighterFarmInstance.ownerOf(tokenId); require( !initiatorBool || _voltageManagerInstance.ownerVoltageReplenishTime(fighterOwner) <= block.timestamp || _voltageManagerInstance.ownerVoltage(fighterOwner) >= VOLTAGE_COST ); _updateRecord(tokenId, battleResult); uint256 stakeAtRisk = _stakeAtRiskInstance.getStakeAtRisk(tokenId); if (amountStaked[tokenId] + stakeAtRisk > 0) { _addResultPoints(battleResult, tokenId, eloFactor, mergingPortion, fighterOwner); } if (initiatorBool) { _voltageManagerInstance.spendVoltage(fighterOwner, VOLTAGE_COST); } totalBattles += 1; }
updateBattleRecord() function has a serious re entrancy which can be flawed by the admin. The function internally calls _addResultPoints() to add the points of the battle and which further calls the _stakeAtRiskInstance.reclaimNRN(curStakeAtRisk, tokenId, fighterOwner);, the reclaimNRN() function doesn't follow CEI and it could lead to reentrancy if admin decides to default.
Future Scalability and Adaptability
Challenges in Protocol Evolution: As the protocol grows and evolves, the centralized admin access structure might become a bottleneck, hindering the adoption of changes and updates that require a broader consensus.
Potential for admin Gridlock : Over time, the concentration of power might lead to admin gridlock if the admin becomes resistant to changes or if there’s a conflict of interest within the community.
Architecture assessment
The overall architecture of the Ai Arena's different smart contract has been analysed and I made a diagram to better understand the flow of the main functions calling external contracts within the system.
RankedBattle.sol Contract
This contract enables users to stake NRN tokens on fighters, monitor battle histories, compute and allocate rewards according to battle results and staked quantities, and permits the collection of accrued rewards.
Architecture
stakeNRN() Function: It allows user to stake their NRN tokens for a particular fighter, Each fighter has its fighterID and so they can be staked.
unstakeNRN(): Users can choose to unstake their NRN tokens corrosponding to a particular fighter using this function.
claimNRN(): This function is used to claimNRN tokens per round.
updateBattleRecord(): The game server address is authorised to call this function and update the battle records for each battle. This function is very important function since this is the core of how the points are added in every case internally calling _addResultPoints function.
Results calculation : _addResultPoints is used to calculate the result of the battle in each scenario and there are total 5 scenario which are :
- Win + no stake-at-risk = Increase points balance
- Win + stake-at-risk = Reclaim some of the stake that is at risk
- Lose + positive point balance = Deduct from the point balance
- Lose + no points = Move some of their NRN staked to the Stake At Risk contract.
- Tie = no consequence
FighterFarm Contract
Architecture
FighterFarm Intraction Flow
Within this contractual framework, oversight is provided for the initiation, possession, and retrieval processes of AI Arena Fighter NFTs, encompassing the capability to generate fresh NFTs originating from a consolidation reservoir or via the utilization of redemption mechanisms inherent in mint passes.
Testing Analysis
| File | % Lines | % Statements | % Branches | % Funcs |
|---|---|---|---|---|
| script/Deployer.s.sol | 0.00% (0/41) | 0.00% (0/52) | 100.00% (0/0) | 0.00% (0/2) |
| src/AAMintPass.sol | 97.14% (34/35) | 97.50% (39/40) | 13.64% (3/22) | 91.67% (11/12) |
| src/AiArenaHelper.sol | 94.87% (37/39) | 96.77% (60/62) | 33.33% (6/18) | 100.00% (7/7) |
| src/FighterFarm.sol | 91.86% (79/86) | 92.16% (94/102) | 22.92% (11/48) | 84.00% (21/25) |
| src/FighterOps.sol | 100.00% (3/3) | 100.00% (3/3) | 100.00% (0/0) | 100.00% (3/3) |
| src/FixedPointMathLib.sol | 0.00% (0/40) | 0.00% (0/34) | 0.00% (0/10) | 12.50% (1/8) |
| src/GameItems.sol | 96.30% (52/54) | 94.44% (51/54) | 38.10% (16/42) | 100.00% (16/16) |
| src/MergingPool.sol | 34.04% (16/47) | 31.15% (19/61) | 0.00% (0/20) | 75.00% (6/8) |
| src/Neuron.sol | 96.67% (29/30) | 97.06% (33/34) | 0.00% (0/26) | 100.00% (12/12) |
| src/RankedBattle.sol | 86.36% (114/132) | 87.23% (123/141) | 36.05% (31/86) | 100.00% (20/20) |
| src/StakeAtRisk.sol | 100.00% (19/19) | 100.00% (20/20) | 33.33% (4/12) | 100.00% (5/5) |
| src/Verification.sol | 70.00% (7/10) | 76.92% (10/13) | 0.00% (0/2) | 100.00% (1/1) |
| src/VoltageManager.sol | 100.00% (18/18) | 100.00% (18/18) | 35.71% (5/14) | 100.00% (6/6) |
| Total | 73.65% (408/554) | 74.13% (470/634) | 25.33% (76/300) | 87.20% (109/125) |
100% Coverage:
Files like FighterOps.sol show 100% coverage across lines, statements, branches, and functions. This indicates that every line of code, every conditional branch, and every function in these files have been executed during testing, which is ideal.
Less Than 100% Coverage:
Files such as Deployer.s.sol, AAMintPass.sol, AiArenaHelper.sol, FighterFarm.sol, FixedPointMathLib.sol, GameItems.sol, MergingPool.sol, Neuron.sol, RankedBattle.sol, StakeAtRisk.sol, VoltageManager.sol have less than 100% coverage in some areas. This could be a cause for concern.
Impact of Non-100% Coverage:
Security Risks: Untested code could lead to security vulnerabilities, potentially leading to loss of funds or other exploits.
Functional Bugs: Lack of coverage might mean that certain edge cases or error conditions are not tested, which could result in bugs or unexpected behavior in production.
Integration Issues: In a protocol with multiple interacting contracts, untested code in one contract might cause issues in another, especially in complex transactions or state changes.
Software engineering considerations
Unit Testing
Develop comprehensive unit tests for each function in the contracts, covering all possible edge cases.
Stress Testing and Simulation
Perform stress tests simulating extreme conditions to evaluate the contracts' resilience.
State Invariants
Establish and verify state invariants for contracts to ensure they maintain consistent states throughout.
Reentrancy Guards
Implement checks against reentrancy attacks, particularly in functions that interact externally in RankedBattle.sol.
Optimize for Gas
Refactor contract code to minimize gas consumption, crucial for functions likely to be called frequently.
Proxy Patterns
If upgradeability is a requirement, consider using proxy patterns, ensuring a clear separation between data and logic.
Version Control
Maintain strict version control and changelogs for all contracts to track changes and upgrades over time.
Transparent Governance Processes
Develop and maintain clear, transparent processes for governance actions, documented in code comments and developer documentation.
Smart Contract Events
Emit detailed events in contracts for better off-chain tracking and to facilitate user interface updates.
Comprehensive Documentation
Maintain detailed documentation for each contract, describing its purpose, functions, and interaction mechanisms.
Time spent:
30 hours
Time spent:
30 hours
#0 - c4-pre-sort
2024-02-25T20:40:17Z
raymondfam marked the issue as sufficient quality report
#1 - c4-judge
2024-03-19T08:01:26Z
HickupHH3 marked the issue as grade-a