Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 247/283
Findings: 3
Award: $0.24
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: ahmedaghadi
Also found by: 0x13, 0xAleko, 0xDetermination, 0xKowalski, 0xPluto, 0xRiO, 0xvj, AlexCzm, Avci, BARW, BigVeezus, Cryptor, DeFiHackLabs, Draiakoo, Fitro, Giorgio, GoSlang, Greed, Honour, Kalogerone, KmanOfficial, Krace, McToady, MidgarAudits, MrPotatoMagic, Nyxaris, ReadyPlayer2, Ryonen, SovaSlava, SpicyMeatball, VAD37, _eperezok, alexzoid, almurhasan, btk, cu5t0mpeo, deadrxsezzz, djxploit, dvrkzy, emrekocak, erosjohn, evmboi32, fnanni, grearlake, inzinko, jesjupyter, jesusrod15, josephdara, ke1caM, klau5, ktg, ladboy233, merlinboii, nuthan2x, peanuts, pipidu83, pontifex, radev_sw, sl1, sobieski, soliditywala, t0x1c, taner2344, vnavascues, y4y, yovchev_yoan, zaevlad
0.2347 USDC - $0.23
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/MergingPool.sol#L139
The {claimRewards](https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/MergingPool.sol#L139) function allows users to batch claim rewards for multiple rounds. It iterates over all rounds starting from the last claimed round (lowerBound) to the current round (roundId). For each round, it checks if the msg.sender is one of the winners by iterating over the winnerAddresses array for that round. If the msg.sender is a winner, they are allowed to mint a new fighter from the merging pool
The potential DoS vulnerability arises from the unbounded loop that iterates over all winners for each round. An attacker can pass through a large number of winners or rounds to process, the gas cost of executing this function could exceed block gas limits, effectively preventing users from claiming their rewards.
A user with a large number of rounds to claim could find themselves unable to claim rewards due to excessive gas costs. This could lead to frustration and a loss of trust in the system. Additionally, if the winnerAddresses array for any round is large enough, it could prevent all users from claiming rewards for that round.
Manual Review
To mitigate the risk of a DoS attack, consider implementing one of the following solutions:
Limit the Number of Rounds Processed: Introduce a parameter that allows users to specify the number of rounds they wish to claim in a single transaction, thus limiting the gas cost.
Gasless Claims: Implement a gasless claiming mechanism using meta-transactions, where users sign a message off-chain and a relayer submits the transaction on-chain.
Direct Reward Distribution: Instead of requiring users to claim rewards, distribute rewards directly to the winners at the end of each round, if feasible.
DoS
#0 - c4-pre-sort
2024-02-24T00:08:32Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-24T00:08:51Z
raymondfam marked the issue as duplicate of #1541
#2 - c4-judge
2024-03-11T13:01:42Z
HickupHH3 marked the issue as duplicate of #216
#3 - c4-judge
2024-03-11T13:08:05Z
HickupHH3 changed the severity to 2 (Med Risk)
#4 - c4-judge
2024-03-12T02:37:15Z
HickupHH3 marked the issue as partial-50
#5 - c4-judge
2024-03-21T03:01:45Z
HickupHH3 marked the issue as satisfactory
๐ Selected for report: klau5
Also found by: 0rpse, 0xBinChook, 0xDetermination, 0xGreyWolf, 0xLogos, 0xWallSecurity, 0xaghas, 0xgrbr, 0xkaju, 0xlyov, AlexCzm, BARW, Blank_Space, BoRonGod, Daniel526, DanielArmstrong, Draiakoo, FloatingPragma, Giorgio, Greed, Jorgect, Matue, McToady, MidgarAudits, Nyxaris, PUSH0, PedroZurdo, Pelz, PoeAudits, Silvermist, SpicyMeatball, Tekken, Tricko, Tumelo_Crypto, VAD37, WoolCentaur, Zac, alexzoid, andywer, aslanbek, bgsmallerbear, cats, d3e4, desaperh, dimulski, dutra, erosjohn, evmboi32, favelanky, fnanni, forkforkdog, gesha17, givn, grearlake, haxatron, honey-k12, iamandreiski, immeas, juancito, kaveyjoe, ke1caM, kiqo, klau5, korok, lil_eth, lsaudit, n0kto, ni8mare, niser93, pa6kuda, peanuts, peter, shaka, sl1, soliditywala, solmaxis69, t0x1c, tallo, thank_you, tpiliposian, visualbits, vnavascues, web3pwn, yotov721
0.0088 USDC - $0.01
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L370
The reRoll function in the FighterFarm contract allows the owner of a fighter NFT to reroll its traits by paying a cost in $NRN tokens. The randomness used to generate new traits is derived from on-chain data that is predictable before the transaction is mined. This allows a user to potentially revert the transaction if the new traits are not satisfactory, avoiding the reroll cost, and try again until they receive favorable outcomes.
This issue can lead to an unfair advantage for users who have the means to perform many transactions, as they can selectively aim for the best traits without incurring the cost that other users must pay. This undermines the integrity of the game mechanics and can result in a loss of trust in the fairness of the system.
Manual Review
To mitigate this issue, it is recommended to implement one of the following solutions:
Use of Verifiable Random Function (VRF): Integrate a VRF such as Chainlink VRF to provide secure and verifiable randomness that cannot be manipulated by the user.
Non-Refundable Cost Deduction: Ensure that the reroll cost is deducted from the user's balance before any new traits are generated, and that this deduction is non-refundable, regardless of whether the transaction is reverted.
Other
#0 - c4-pre-sort
2024-02-23T03:57:56Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-23T03:58:05Z
raymondfam marked the issue as duplicate of #53
#2 - c4-judge
2024-03-06T03:46:53Z
HickupHH3 marked the issue as partial-25
#3 - c4-judge
2024-03-06T03:49:26Z
HickupHH3 changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-15T02:10:54Z
HickupHH3 changed the severity to 2 (Med Risk)
#5 - c4-judge
2024-03-22T04:23:05Z
HickupHH3 marked the issue as duplicate of #376