Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 101/283
Findings: 3
Award: $61.53
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Abdessamed
Also found by: 0rpse, 0xAlix2, 0xAsen, 0xCiphky, 0xlemon, 0xmystery, 0xvj, ADM, Aamir, Archime, BARW, DarkTower, Draiakoo, FloatingPragma, JCN, McToady, MrPotatoMagic, OMEN, PetarTolev, Ryonen, SpicyMeatball, Tendency, VAD37, Velislav4o, VrONTg, Zac, adamn000, ahmedaghadi, alexxander, alexzoid, bhilare_, btk, cats, d3e4, denzi_, devblixt, dimulski, evmboi32, fnanni, givn, haxatron, immeas, jesjupyter, juancito, ke1caM, klau5, korok, krikolkk, matejdb, n0kto, niser93, peter, pkqs90, radin100, shaka, sl1, soliditywala, stackachu, stakog, t0x1c, vnavascues, yotov721, zhaojohnson
1.2667 USDC - $1.27
The redeemMintPass function permits users to arbitrarily set the iconsTypes attribute of newly minted 'fighters' during the redemption process. This allows them to bypass an intended association between burned 'mintPass' metadata and generated fighter properties.
The developer has confirmed this behavior is unintentional.
iconType of low market value.mintPass.Crucially, they manually provide an iconsTypes input corresponding to a rare and coveted icon.
A new 'fighter' is minted, visually representing the rare 'icon' while having originated from a common 'mintPass'.
Manual Review
Change :
require( mintpassIdsToBurn.length == mintPassDnas.length && mintPassDnas.length == fighterTypes.length && fighterTypes.length == modelHashes.length && modelHashes.length == modelTypes.length
to
require( mintpassIdsToBurn.length == mintPassDnas.length && mintPassDnas.length == fighterTypes.length && fighterTypes.length == modelHashes.length && modelHashes.length == modelTypes.length && modelTypes.length == iconsTypes.lenght
Invalid Validation
#0 - c4-pre-sort
2024-02-22T07:46:57Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-22T07:47:03Z
raymondfam marked the issue as duplicate of #33
#2 - c4-pre-sort
2024-02-26T00:53:29Z
raymondfam marked the issue as duplicate of #1626
#3 - c4-judge
2024-03-05T10:56:27Z
HickupHH3 changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-06T03:12:11Z
HickupHH3 marked the issue as satisfactory
🌟 Selected for report: t0x1c
Also found by: 0rpse, 0xAadi, 0xBinChook, 0xCiphky, 0xDetermination, 14si2o_Flint, AC000123, Aamir, Abdessamed, Blank_Space, CodeWasp, DanielArmstrong, DarkTower, Draiakoo, Honour, Kalogerone, Krace, McToady, Merulez99, MidgarAudits, MrPotatoMagic, PedroZurdo, Silvermist, Tychai0s, VAD37, Velislav4o, VrONTg, WoolCentaur, YouCrossTheLineAlfie, ZanyBonzy, alexxander, aslanbek, btk, csanuragjain, d3e4, dimulski, djxploit, erosjohn, evmboi32, fnanni, forgebyola, forkforkdog, handsomegiraffe, immeas, israeladelaja, juancito, ktg, n0kto, neocrao, ni8mare, okolicodes, peanuts, petro_1912, shaflow2, shaka, swizz, ubermensch, ubl4nk, yotov721
1.0297 USDC - $1.03
This vulnerability allows users to strategically minimize their staking amounts, enabling them to participate in the reward system without genuine risk. This undermines the core concept of risk vs. reward within the protocol.
Let's imagine that Alice wants to play Ranked Battle but she decide to stake 1 wei to remove risk of losing NRN
The game dose the calculation :
curStakeAtRisk = (bpsLostPerLoss * (amountStaked[tokenId] + stakeAtRisk)) / 10**4;
let's imagine that bpsLostPerLoss is 500 and amountStaked[tokenId] is 1 wei and stakeAtRisk is 10000 wei that mean that the calculation goes
500 * (0+ 10000)) / 10000 = 0
Manual Review
Enforce a minimum threshold for amountStaked[tokenId] that must be surpassed for battle eligibility. This eliminates the zero-risk scenario.
Math
#0 - c4-pre-sort
2024-02-22T16:02:07Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-22T16:02:14Z
raymondfam marked the issue as duplicate of #38
#2 - c4-judge
2024-03-07T02:49:49Z
HickupHH3 changed the severity to 2 (Med Risk)
#3 - c4-judge
2024-03-07T02:58:22Z
HickupHH3 changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-07T03:15:54Z
HickupHH3 marked the issue as satisfactory
#5 - c4-judge
2024-03-07T03:16:30Z
HickupHH3 marked the issue as partial-50
🌟 Selected for report: t0x1c
Also found by: 0xCiphky, 0xDetermination, Draiakoo, Greed, Kalogerone, MatricksDeCoder, MidgarAudits, MrPotatoMagic, PedroZurdo, Shubham, SpicyMeatball, VAD37, Velislav4o, ZanyBonzy, btk, cats, djxploit, forkforkdog, givn, ladboy233, lanrebayode77, lil_eth, visualbits, zaevlad
59.2337 USDC - $59.23
The current implementation of the fighter minting restriction within the _createNewFighter function has a critical defect. Minting limits are naively enforced by checking the target address's balanceOf. This allows attackers to circumvent safeguards by transferring minted fighters away, and continue minting indefinitely.
(balanceOf(attackerAddress) == MAX_FIGHTERS_ALLOWED).(attackerAddress2).balanceOf(attackerAddress) decreases, they can keep using _createNewFighter even after exceeding the expected limit.Manual Review
introduce a mapping counter of created fighters. Increment this with each successful _createNewFighter call. Refuse minting when the global counter hits 10 fighters.
Invalid Validation
#0 - c4-pre-sort
2024-02-23T17:50:52Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-23T17:51:02Z
raymondfam marked the issue as duplicate of #43
#2 - c4-judge
2024-03-07T06:36:55Z
HickupHH3 changed the severity to 2 (Med Risk)
#3 - c4-judge
2024-03-07T06:36:59Z
HickupHH3 marked the issue as satisfactory