AI Arena - Shubham's results

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L158-L161

Vulnerability details

Whenever a game item is created, a daily allowance is set which allows a user to mint a specific amount tokens for that game item per day. Every 24 hours the allowance is reset for that user to mint again. Game items can be transferrable or non-transferrable depending on the admin.

Proof of Concept

In mint() users can buy game items. There is check to ensure a user does not exceed its daily allowance.

File: GateItems.sol

      function mint(uint256 tokenId, uint256 quantity) external {
      ...
      require(
            dailyAllowanceReplenishTime[msg.sender][tokenId] <= block.timestamp || 
            quantity <= allowanceRemaining[msg.sender][tokenId]
        );
 
      ...

The safeTransferFrom() only checks if the game item is transferrable.

File: GateItems.sol

      function safeTransferFrom(
        address from, 
        address to, 
        uint256 tokenId,
        uint256 amount,
        bytes memory data
    ) 
        public 
        override(ERC1155)
    {
        require(allGameItemAttributes[tokenId].transferable);
        super.safeTransferFrom(from, to, tokenId, amount, data);
    }

Scenario

• Lets say the daily allowance for a game item (battery in this case) is 1.
• Bob has spent all the daily voltage & now buys a battery which refills the voltage count to 100.
• Bob fights more battles till he has finished up his voltage again.
• Now Bob cannot buy another battery because allowanceRemaining[msg.sender][tokenId] = 0.
• Bob now registers into the game with a new address & buys a battery.
• He calls safeTransferFrom() sending the battery to his original address.
• Bob can now call useVoltageBattery() to refill his voltage balance.

This gives Bob an unfair advantage compared to other users who are unaware of this loophole.

Edge Case

• A game item has been issue for 7 days which is transferrable & daily allowance is 1.
• Its upto Bob whether he buys & uses that item daily or stores it & uses all at once.
• Bob uses the above mentioned way to send that game item to his original address from his new address.
• Now Bob can use the game item more than 7 times & increase his chances to win in battles.

Impact

Users can transfer game items from a different address after depleting their daily allowance which gives them a unfair advantage compared to other players. This in turn makes the concept of daily allowance useless.

Tools Used

Manual Review

Recommended Mitigation Steps

Possible suggestion would be to allow game items to be transferred only if the to address has not reached the daily allowance limit for that day.

Assessed type

Invalid Validation