Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 174/283
Findings: 1
Award: $8.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: givn
Also found by: 0x11singh99, 0xAkira, 0xBinChook, 0xDetermination, 0xMosh, 0xStriker, 0xmystery, 14si2o_Flint, 7ashraf, Aamir, AlexCzm, BARW, Bauchibred, BenasVol, BigVeezus, Blank_Space, Bube, DarkTower, DeFiHackLabs, EagleSecurity, KmanOfficial, Krace, McToady, MrPotatoMagic, PetarTolev, Rolezn, SHA_256, SpicyMeatball, Tekken, Timenov, ZanyBonzy, agadzhalov, alexzoid, boredpukar, btk, cartlex_, dimulski, forkforkdog, haxatron, immeas, jesjupyter, juancito, kartik_giri_47538, klau5, lsaudit, merlinboii, nuthan2x, offside0011, oualidpro, peter, radev_sw, rekxor, rspadi, shaflow2, shaka, swizz, vnavascues, yotov721, yovchev_yoan
8.8123 USDC - $8.81
safeTransferFrom function checks transferabl before transferring, but doesn't revert if transfer fails due to other reasons.Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/GameItems.sol#L291-L303
Recommendation: Consider adding appropriate error handling.
createGameItem function checks isAdmin but relies on msg.sender being the contract deployer.Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/GameItems.sol#L219
Recommendation: Consider explicitly verifying msg.sender == _ownerAddress for this function if that's the intended behavior.
Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L120-L123 , https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L167 , https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/GameItems.sol#L108
Recommendation: Relying solely on msg.sender verification might be vulnerable if the owner's address is compromised. Consider using signed messages or multi-signature wallets for critical functions like transferring ownership or treasury address.
(e.g., neuronInstance) should be designed to prevent reentrancy vulnerabilities.Even if the function follows the best practice of check-effects-interaction, not using a reentrancy guard when there may be transfer hooks will open the users of this protocol up to read-only reentrancies with no way to protect against it, except by block-listing the whole protocol.
Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L375-L376
Recommendation: Use a nonreentrant modifier for this external call functions.
ecrecover is susceptible to signature malleabilityThe built-in EVM precompile ecrecover is susceptible to signature malleability, which could lead to replay attacks. References: https://swcregistry.io/docs/SWC-117 , https://swcregistry.io/docs/SWC-121 , https://medium.com/cryptronics/signature-replay-vulnerabilities-in-smart-contracts-3b6f7596df57
While this is not immediately exploitable, this may become a vulnerability if used elsewhere.
Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/Verification.sol#L40
Recommendation: Avoid using ecrecover() for signature verification. Instead, utilize the OpenZeppelin's latest version of ECDSA to ensure signatures are safe from malleability issues.
reRoll don't verify token approval before transferring rerollCost.Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L370 Recommendation: Implement proper approval checks.
keccak256 usage for generating random values is implemented securely and unpredictably.Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L379 Recommendation: Consider using dedicated randomness oracles.
stakeNRN, the call to _getStakingFactor might lead to stack overflow errors for deeply nested calls (if _getStakingFactor itself makes external calls).Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L258 Recommendation: Consider optimizing function calls or using alternative data structures.
stakeNRN and unstakeNRN update _calculatedStakingFactor even if it's already true. This might be unnecessary and could be optimized.Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L262 , https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L281
While some checks throw errors (e.g., require), consider handling any potential failures during operations like _neuronInstance.transferFrom or _mint. This could involve returning appropriate error messages or reverting state changes.
Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L376-L391
Events like BoughtItem could include more detailed information like item name or price.
Lines of code: https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/GameItems.sol#L174
#0 - raymondfam
2024-02-26T05:50:51Z
Adequate amount of L and NC entailed.
#1 - c4-pre-sort
2024-02-26T05:50:55Z
raymondfam marked the issue as sufficient quality report
#2 - c4-judge
2024-03-16T10:31:28Z
HickupHH3 marked the issue as grade-b