Back to bgsmallerbear's contests

AI Arena - bgsmallerbear's results

In AI Arena you train an AI character to battle in a platform fighting game. Imagine a cross between Pokémon and Super Smash Bros, but the characters are AIs, and you can train them to learn almost any skill in preparation for battle.

General Information

Platform: Code4rena

Start Date: 09/02/2024

Pot Size: $60,500 USDC

Total HM: 17

Participants: 283

Period: 12 days

Judge:

Id: 328

League: ETH

AI Arena

Findings Distribution

Researcher Performance

Rank: 279/283

Findings: 1

Award: $0.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAI Arena

Findings Information

🌟 Selected for report: klau5

Also found by: 0rpse, 0xBinChook, 0xDetermination, 0xGreyWolf, 0xLogos, 0xWallSecurity, 0xaghas, 0xgrbr, 0xkaju, 0xlyov, AlexCzm, BARW, Blank_Space, BoRonGod, Daniel526, DanielArmstrong, Draiakoo, FloatingPragma, Giorgio, Greed, Jorgect, Matue, McToady, MidgarAudits, Nyxaris, PUSH0, PedroZurdo, Pelz, PoeAudits, Silvermist, SpicyMeatball, Tekken, Tricko, Tumelo_Crypto, VAD37, WoolCentaur, Zac, alexzoid, andywer, aslanbek, bgsmallerbear, cats, d3e4, desaperh, dimulski, dutra, erosjohn, evmboi32, favelanky, fnanni, forkforkdog, gesha17, givn, grearlake, haxatron, honey-k12, iamandreiski, immeas, juancito, kaveyjoe, ke1caM, kiqo, klau5, korok, lil_eth, lsaudit, n0kto, ni8mare, niser93, pa6kuda, peanuts, peter, shaka, sl1, soliditywala, solmaxis69, t0x1c, tallo, thank_you, tpiliposian, visualbits, vnavascues, web3pwn, yotov721

Awards

0.0352 USDC - $0.04

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
:robot:_02_group
duplicate-376

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L379

Vulnerability details

Description

All users can predict the best reroll. As this can be compiled on remix for free with all predictable variables, a single user can create multiple wallets and freely check the best possible outcome for his fighter.

Impact

Users that (do this ) will be able to win more often because of the inceased weight, which will lead to bigger monetary gain.

Proof of Concept

  1. User mints NFT
  2. User checks which roll gives them the best value.
  3. User calls this function
function testDna(uint256 rerolls, uint256 tokenId) public returns (uint256) {
    return uint256(keccak256(abi.encode(msg.sender, tokenId, rerolls))) %31 +65;
}

Example values: msg.sender = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4 rerolls = 1 tokenId= 0 => weight = 90

rerolls = 2 => weight 60 rerolls = 3 => 78

Use chainlink VRF.

Assessed type

Other

#0 - c4-pre-sort

2024-02-23T03:57:06Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-02-23T03:57:15Z

raymondfam marked the issue as duplicate of #53

#2 - c4-judge

2024-03-06T03:46:37Z

HickupHH3 marked the issue as satisfactory

#3 - c4-judge

2024-03-15T02:10:54Z

HickupHH3 changed the severity to 2 (Med Risk)

#4 - c4-judge

2024-03-22T04:21:59Z

HickupHH3 marked the issue as duplicate of #376

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter