Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 42/283
Findings: 1
Award: $145.18
๐ Selected for report: 1
๐ Solo Findings: 0
๐ Selected for report: abhishek_thaku_r
Also found by: 0xAlix2, 0xDetermination, 0xShitgem, Draiakoo, Fulum, Greed, MrPotatoMagic, PoeAudits, Tychai0s, ahmedaghadi, alexzoid, dimulski, fnanni, givn, iamandreiski, immeas, kartik_giri_47538, kiqo, klau5, korok, ktg, maxim371, offside0011, pontifex, sashik_eth, stakog, swizz, yotov721
145.1788 USDC - $145.18
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L370
FighterFarm:: reRoll uses uint8 for nft id as input, which will stop people calling this function who owns id greater than 255.It will lead to not being able to use the reRoll to get random traits, which could have been better for there game performance.
Affect code can be seen here
Adding code snippet below as well, for better clarity
/// @notice Rolls a new fighter with random traits. /// @param tokenId ID of the fighter being re-rolled. /// @param fighterType The fighter type. @> function reRoll(uint8 tokenId, uint8 fighterType) public { require(msg.sender == ownerOf(tokenId)); require(numRerolls[tokenId] < maxRerollsAllowed[fighterType]); require(_neuronInstance.balanceOf(msg.sender) >= rerollCost, "Not enough NRN for reroll"); _neuronInstance.approveSpender(msg.sender, rerollCost); bool success = _neuronInstance.transferFrom(msg.sender, treasuryAddress, rerollCost); if (success) { numRerolls[tokenId] += 1; uint256 dna = uint256(keccak256(abi.encode(msg.sender, tokenId, numRerolls[tokenId]))); (uint256 element, uint256 weight, uint256 newDna) = _createFighterBase(dna, fighterType); fighters[tokenId].element = element; fighters[tokenId].weight = weight; fighters[tokenId].physicalAttributes = _aiArenaHelperInstance.createPhysicalAttributes( newDna, generation[fighterType], fighters[tokenId].iconsType, fighters[tokenId].dendroidBool ); _tokenURIs[tokenId] = ""; } }
If you notice the highlighted line (first line of function), it takes uint8 as input for tokenId parameter. Which will restrict users to call this function when they own nft id greater than 255.
value will go out of bounds when user will input 256 or more.
Manual Review
use uint256 for nft id input to fix the issue.
- function reRoll(uint8 tokenId, uint8 fighterType) public { + function reRoll(uint256 tokenId, uint8 fighterType) public { require(msg.sender == ownerOf(tokenId)); require(numRerolls[tokenId] < maxRerollsAllowed[fighterType]); require(_neuronInstance.balanceOf(msg.sender) >= rerollCost, "Not enough NRN for reroll"); _neuronInstance.approveSpender(msg.sender, rerollCost); bool success = _neuronInstance.transferFrom(msg.sender, treasuryAddress, rerollCost); if (success) { numRerolls[tokenId] += 1; uint256 dna = uint256(keccak256(abi.encode(msg.sender, tokenId, numRerolls[tokenId]))); (uint256 element, uint256 weight, uint256 newDna) = _createFighterBase(dna, fighterType); fighters[tokenId].element = element; fighters[tokenId].weight = weight; fighters[tokenId].physicalAttributes = _aiArenaHelperInstance.createPhysicalAttributes( newDna, generation[fighterType], fighters[tokenId].iconsType, fighters[tokenId].dendroidBool ); _tokenURIs[tokenId] = ""; } }
DoS
#0 - c4-pre-sort
2024-02-21T23:45:58Z
raymondfam marked the issue as primary issue
#1 - c4-pre-sort
2024-02-21T23:46:02Z
raymondfam marked the issue as sufficient quality report
#2 - raymondfam
2024-02-21T23:46:57Z
Unsigned integer type limitation indeed.
#3 - c4-sponsor
2024-03-04T01:08:18Z
brandinho (sponsor) confirmed
#4 - SonnyCastro
2024-03-04T18:55:07Z
Mitigated here
#5 - c4-judge
2024-03-05T01:54:31Z
HickupHH3 marked the issue as satisfactory
#6 - c4-judge
2024-03-05T02:01:40Z
HickupHH3 marked the issue as selected for report