Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 28/283
Findings: 2
Award: $238.93
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: klau5
Also found by: 0rpse, 0xBinChook, 0xDetermination, 0xGreyWolf, 0xLogos, 0xWallSecurity, 0xaghas, 0xgrbr, 0xkaju, 0xlyov, AlexCzm, BARW, Blank_Space, BoRonGod, Daniel526, DanielArmstrong, Draiakoo, FloatingPragma, Giorgio, Greed, Jorgect, Matue, McToady, MidgarAudits, Nyxaris, PUSH0, PedroZurdo, Pelz, PoeAudits, Silvermist, SpicyMeatball, Tekken, Tricko, Tumelo_Crypto, VAD37, WoolCentaur, Zac, alexzoid, andywer, aslanbek, bgsmallerbear, cats, d3e4, desaperh, dimulski, dutra, erosjohn, evmboi32, favelanky, fnanni, forkforkdog, gesha17, givn, grearlake, haxatron, honey-k12, iamandreiski, immeas, juancito, kaveyjoe, ke1caM, kiqo, klau5, korok, lil_eth, lsaudit, n0kto, ni8mare, niser93, pa6kuda, peanuts, peter, shaka, sl1, soliditywala, solmaxis69, t0x1c, tallo, thank_you, tpiliposian, visualbits, vnavascues, web3pwn, yotov721
0.0352 USDC - $0.04
The DNA for new fighters is calculated in a predictable manner using the sender address and fighters.length, making it possible for an attacker to anticipate the DNA and mint a fighter with desired attributes by front-running a transaction.
Hash all combinations of a few different sender addresses of accounts under your control and different values for fighters.length, apply the DNA logic to derive attributes and note the ones with desired attributes.
Now try to claim those fighters at just the right time when fighters.length has the right value with the right account and you got yourself a predictably valuable fighter.
See https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L212-L220
Unreleased AI tool
Include at least the block hash in the data before hashing. To be really safe, a two stage process where a claim has to be submitted first, but can only be executed in a different block, then using the later block's hash, might be preferable.
Invalid Validation
#0 - c4-pre-sort
2024-02-24T02:04:01Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-24T02:04:16Z
raymondfam marked the issue as duplicate of #53
#2 - c4-judge
2024-03-06T03:54:06Z
HickupHH3 marked the issue as satisfactory
#3 - c4-judge
2024-03-15T02:10:54Z
HickupHH3 changed the severity to 2 (Med Risk)
#4 - c4-judge
2024-03-22T04:23:10Z
HickupHH3 marked the issue as duplicate of #376
๐ Selected for report: Timenov
Also found by: 0x11singh99, 0xblackskull, CodeWasp, MidgarAudits, MrPotatoMagic, Rolezn, Sabit, SovaSlava, andywer, btk, josephdara, lil_eth, merlinboii, sobieski, vnavascues
238.8948 USDC - $238.89
The contract lacks a mechanism for revoking burning privileges from addresses that were previously granted such access, potentially leading to long-term risks if an address is compromised or should no longer be trusted.
Unreleased AI tool
Add a function to revoke burning privileges.
Access Control
#0 - c4-pre-sort
2024-02-22T19:34:18Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-22T19:34:27Z
raymondfam marked the issue as duplicate of #47
#2 - c4-judge
2024-03-08T03:31:01Z
HickupHH3 marked the issue as satisfactory