AI Arena - AC000123's results

In AI Arena you train an AI character to battle in a platform fighting game. Imagine a cross between Pokémon and Super Smash Bros, but the characters are AIs, and you can train them to learn almost any skill in preparation for battle.

General Information

Platform: Code4rena

Start Date: 09/02/2024

Pot Size: $60,500 USDC

Total HM: 17

Participants: 283

Period: 12 days

Judge:

Id: 328

League: ETH

AI Arena

Findings Distribution

Researcher Performance

Rank: 221/283

Findings: 1

Award: $1.54

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository AI Arena

Findings Information

🌟 Selected for report: t0x1c

Also found by: 0rpse, 0xAadi, 0xBinChook, 0xCiphky, 0xDetermination, 14si2o_Flint, AC000123, Aamir, Abdessamed, Blank_Space, CodeWasp, DanielArmstrong, DarkTower, Draiakoo, Honour, Kalogerone, Krace, McToady, Merulez99, MidgarAudits, MrPotatoMagic, PedroZurdo, Silvermist, Tychai0s, VAD37, Velislav4o, VrONTg, WoolCentaur, YouCrossTheLineAlfie, ZanyBonzy, alexxander, aslanbek, btk, csanuragjain, d3e4, dimulski, djxploit, erosjohn, evmboi32, fnanni, forgebyola, forkforkdog, handsomegiraffe, immeas, israeladelaja, juancito, ktg, n0kto, neocrao, ni8mare, okolicodes, peanuts, petro_1912, shaflow2, shaka, swizz, ubermensch, ubl4nk, yotov721

Awards

1.5445 USDC - $1.54

Labels

bug

3 (High Risk)

insufficient quality report

partial-75

upgraded by judge

:robot:_29_group

duplicate-116

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L530-L532

Vulnerability details

Impact

In _getStakingFactor, when stakedAmount < 1 NRN, stakingFactor_ will always be 1. This allows a player to make positive points without any risk of loss by depositing minimal amount of $NRN(< 10**4 / bpsLostPerLoss wei)

Proof of Concept

If player deposits 1 wei and participate in a match, curStakeAtRisk will be always zero and therefore even if player lost the match, no staked fund will be at rist of loss. When player win the match, stakeAtRisk always be zero and points should be the same with eloFactor In the game economics, Penalty for Losing is one of the most important mechanism which can be destoryed by this issue.

Tools Used

Manual Review

Recommended Mitigation Steps

We can make an minimum limit of staking.

Assessed type

Other

#0 - c4-pre-sort
2024-02-22T15:37:15Z

raymondfam marked the issue as insufficient quality report

#1 - c4-pre-sort
2024-02-22T15:37:24Z

raymondfam marked the issue as duplicate of #38

#2 - c4-judge
2024-03-07T02:58:22Z

HickupHH3 changed the severity to 3 (High Risk)

#3 - c4-judge
2024-03-07T03:13:31Z

HickupHH3 marked the issue as partial-75

#4 - c4-judge
2024-03-07T03:27:32Z

HickupHH3 marked the issue as partial-50

#5 - c4-judge
2024-03-07T03:27:47Z

HickupHH3 marked the issue as partial-75

AI Arena - AC000123's results

In AI Arena you train an AI character to battle in a platform fighting game. Imagine a cross between Pokémon and Super Smash Bros, but the characters are AIs, and you can train them to learn almost any skill in preparation for battle.

General Information

Findings Distribution

Researcher Performance

External Links

[H-05] Players can earn points with minimal staked amount without any risk - $1.54

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-02-22T15:37:15Z

#1 - c4-pre-sort2024-02-22T15:37:24Z

#2 - c4-judge2024-03-07T02:58:22Z

#3 - c4-judge2024-03-07T03:13:31Z

#4 - c4-judge2024-03-07T03:27:32Z

#5 - c4-judge2024-03-07T03:27:47Z

#0 - c4-pre-sort
2024-02-22T15:37:15Z

#1 - c4-pre-sort
2024-02-22T15:37:24Z

#2 - c4-judge
2024-03-07T02:58:22Z

#3 - c4-judge
2024-03-07T03:13:31Z

#4 - c4-judge
2024-03-07T03:27:32Z

#5 - c4-judge
2024-03-07T03:27:47Z