Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 231/283
Findings: 3
Award: $1.22
π Selected for report: 0
π Solo Findings: 0
π Selected for report: CodeWasp
Also found by: 0x13, 0xAlix2, 0xAsen, 0xCiphky, 0xE1, 0xLogos, 0xaghas, 0xlemon, 0xlyov, 0xvj, ADM, Aamir, BARW, Bauchibred, DMoore, DanielArmstrong, Draiakoo, Fulum, GhK3Ndf, Josh4324, Kalogerone, KmanOfficial, Krace, KupiaSec, Limbooo, MidgarAudits, MrPotatoMagic, PedroZurdo, Pelz, Tendency, _eperezok, adam-idarrha, al88nsk, alexxander, alexzoid, aslanbek, blutorque, btk, c0pp3rscr3w3r, cartlex_, cats, d3e4, deadrxsezzz, denzi_, devblixt, dimulski, erosjohn, evmboi32, fnanni, grearlake, hulkvision, immeas, israeladelaja, jaydhales, jesjupyter, jnforja, juancito, klau5, korok, ktg, ladboy233, matejdb, merlinboii, novamanbg, nuthan2x, oualidpro, peanuts, petro_1912, pkqs90, pynschon, radev_sw, rouhsamad, sashik_eth, shaka, sobieski, soliditywala, stackachu, tallo, thank_you, ubl4nk, vnavascues, web3pwn, xchen1130, zhaojohnson
0.1044 USDC - $0.10
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L346 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L363
In FighterFarm.sol, fighter nft can not be transferred if the nft has already been staked or the receiver has already 'MAX_FIGHTERS_ALLOWED' number of fighters. But the check is only present in "transferFrom(address from, address to, uint256 tokenId)" and "safeTransferFrom(address from, address to, uint256 tokenId)", while there is another public function "safeTransferFrom(address from, address to, uint256 tokenId, bytes memory data)" in 'https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.5/contracts/token/ERC721/ERC721.sol#L167' which can be used to transfer fighter nfts. Thus, the safety check can be bypassed. If an user trades his/her staked fighter nft to a new owner, the new owner can steal staked NRN tokens from the old owner by calling 'unstakeNRN()' in 'RankedBattle.sol'.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
In FighterFarm.sol, override the function "safeTransferFrom(address from, address to, uint256 tokenId, bytes memory data)" defined in ERC721.sol to add the check '_ableToTransfer()'.
Token-Transfer
#0 - c4-pre-sort
2024-02-23T04:14:59Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-23T04:15:10Z
raymondfam marked the issue as duplicate of #54
#2 - c4-pre-sort
2024-02-23T04:47:03Z
raymondfam marked the issue as duplicate of #739
#3 - c4-pre-sort
2024-02-23T04:49:36Z
raymondfam marked the issue as sufficient quality report
#4 - c4-judge
2024-03-11T02:33:54Z
HickupHH3 marked the issue as satisfactory
π Selected for report: Aamir
Also found by: 0rpse, 0x11singh99, 0x13, 0xAlix2, 0xAsen, 0xBinChook, 0xCiphky, 0xE1, 0xKowalski, 0xLogos, 0xWallSecurity, 0xaghas, 0xbranded, 0xlemon, 0xlyov, 0xpoor4ever, 0xprinc, 0xvj, ADM, Aymen0909, BARW, Bauchibred, Breeje, CodeWasp, DMoore, DeFiHackLabs, Draiakoo, Fulum, GhK3Ndf, Greed, Jorgect, Josh4324, Kalogerone, KmanOfficial, Krace, Limbooo, McToady, MidgarAudits, MrPotatoMagic, PedroZurdo, Pelz, Ryonen, SovaSlava, SpicyMeatball, Tendency, Timenov, ZanyBonzy, _eperezok, al88nsk, alexxander, alexzoid, aslanbek, blutorque, btk, cartlex_, cats, csanuragjain, deadrxsezzz, denzi_, devblixt, dimulski, djxploit, erosjohn, evmboi32, fnanni, grearlake, haxatron, hulkvision, immeas, israeladelaja, jaydhales, jesjupyter, jnforja, josephdara, juancito, kiqo, klau5, korok, krikolkk, ktg, kutugu, ladboy233, lil_eth, m4ttm, matejdb, merlinboii, n0kto, ni8mare, novamanbg, nuthan2x, oualidpro, pa6kuda, peter, petro_1912, pkqs90, pynschon, sandy, sashik_eth, shaflow2, shaka, sobieski, soliditywala, solmaxis69, stackachu, tallo, thank_you, tpiliposian, ubl4nk, visualbits, vnavascues, web3pwn, xchen1130, zhaojohnson
0.0037 USDC - $0.00
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L291
Even if a game item is NOT transferable, the game NFT token can still be transferred by calling the function 'safeBatchTransferFrom()' defined at "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v5.0.1/contracts/token/ERC1155/ERC1155.sol#L120".
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
In GameItems.sol, override the function 'safeBatchTransferFrom()' defined in ERC1155.sol to add a check to see if the game item is transferable.
Token-Transfer
#0 - c4-pre-sort
2024-02-22T03:25:49Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-22T03:25:57Z
raymondfam marked the issue as duplicate of #18
#2 - c4-pre-sort
2024-02-26T00:27:09Z
raymondfam marked the issue as duplicate of #575
#3 - c4-judge
2024-03-05T04:47:39Z
HickupHH3 changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-05T04:49:15Z
HickupHH3 marked the issue as satisfactory
#5 - c4-judge
2024-03-05T04:50:09Z
HickupHH3 removed the grade
#6 - c4-judge
2024-03-05T04:50:13Z
HickupHH3 marked the issue as satisfactory
π Selected for report: klau5
Also found by: 0xAleko, 0xAlix2, 0xAsen, 0xCiphky, 0xKowalski, 0xlemon, 0xvj, 14si2o_Flint, Aamir, AlexCzm, Aymen0909, BARW, Blank_Space, DanielArmstrong, Davide, Draiakoo, Giorgio, McToady, MrPotatoMagic, PoeAudits, Ryonen, Silvermist, SpicyMeatball, Tychai0s, VAD37, Varun_05, alexxander, alexzoid, aslanbek, blutorque, btk, cats, d3e4, denzi_, evmboi32, fnanni, givn, grearlake, haxatron, jesjupyter, juancito, ke1caM, ktg, lanrebayode77, linmiaomiao, matejdb, merlinboii, n0kto, novamanbg, nuthan2x, petro_1912, pynschon, radin100, sashik_eth, shaka, sl1, soliditywala, solmaxis69, t0x1c, ubl4nk, vnavascues, xchen1130, yotov721, zhaojohnson
1.1225 USDC - $1.12
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L370 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L372 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L380 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/FighterFarm.sol#L385
Based on the code in '_createNewFighter()', if fighterType == 1, then fighters.dendroidBool = true; if fighterType == 0, then fighters.dendroidBool = false.
A malicious user can call the function 'reRoll()' with a malicious 'fighterType' parameter(which is inconsistent with 'fighters[tokenId].dendroidBool') to create invalid/inconsistent fighter data: fighters[tokenId].dendroidBool is not changed, but fighter 'element/weight/physicalAttributes' are re-calculated based on wrong fighterType and they may impact the fighter winning rate and rewards in battles.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Add a check in 'reRoll()' to make sure parameter 'fighterType' is consistent with fighters[tokenId].dendroidBool.
Other
#0 - c4-pre-sort
2024-02-21T23:53:51Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-21T23:53:58Z
raymondfam marked the issue as duplicate of #17
#2 - c4-pre-sort
2024-02-22T00:31:16Z
raymondfam marked the issue as sufficient quality report
#3 - c4-pre-sort
2024-02-22T00:31:21Z
raymondfam marked the issue as not a duplicate
#4 - c4-pre-sort
2024-02-22T00:31:39Z
raymondfam marked the issue as duplicate of #305
#5 - c4-pre-sort
2024-02-22T01:04:51Z
raymondfam marked the issue as duplicate of #306
#6 - c4-judge
2024-03-05T04:30:48Z
HickupHH3 marked the issue as satisfactory
#7 - c4-judge
2024-03-19T09:05:00Z
HickupHH3 changed the severity to 3 (High Risk)