Use of strict equalities that can be easily manipulated by an attacker.
Dangerous strict equality is where the use of strict equality (==) for comparison may lead to unexpected or potentially unsafe behaviour due to issues like type conversions, precision, or external input.
Proof of Concept
Here is a Proof of Concept (POC) for the incorrect equality in the getWord function:
pragma solidity ^0.8.19;
contract TestRandomPool {
randomPool rp = new randomPool();
function testGetWord() public {
// This will return the first word in the list, "Acai"
string memory word1 = rp.getWord(0);
assert(keccak256(abi.encodePacked(word1)) == keccak256(abi.encodePacked("Acai")));
// This will return the second word in the list, "Ackee"
string memory word2 = rp.getWord(1);
assert(keccak256(abi.encodePacked(word2)) == keccak256(abi.encodePacked("Ackee")));
// This will return the first word in the list, "Acai", due to incorrect equality
string memory word3 = rp.getWord(2);
assert(keccak256(abi.encodePacked(word3)) == keccak256(abi.encodePacked("Acai")));
}
}
In the getWord function, the id is decremented by 1 when it is not equal to 0.
This means that when id is 2, it will return the word at index 1, which is "Acai" instead of "Apple".
This is due to the incorrect equality id == 0.
Location
randomPool.getWord(uint256) (smart-contracts/XRandoms.sol#15-33) uses a dangerous strict equality:
- id == 0 (smart-contracts/XRandoms.sol#28)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/71d055b623b0d027886f1799739b7f785b5bc7cd/smart-contracts/XRandoms.sol#L28 https://github.com/code-423n4/2023-10-nextgen/blob/71d055b623b0d027886f1799739b7f785b5bc7cd/smart-contracts/XRandoms.sol#L15-L33
Vulnerability details
Impact
Use of strict equalities that can be easily manipulated by an attacker. Dangerous strict equality is where the use of strict equality (==) for comparison may lead to unexpected or potentially unsafe behaviour due to issues like type conversions, precision, or external input.
Proof of Concept
Here is a Proof of Concept (POC) for the incorrect equality in the getWord function:
In the getWord function, the id is decremented by 1 when it is not equal to 0. This means that when id is 2, it will return the word at index 1, which is "Acai" instead of "Apple". This is due to the incorrect equality id == 0. Location
Vulnerable line of code
Vulnerable getWords function
Tools Used
VS Code.
Recommended Mitigation Steps
Don't use strict equality to determine if an account has enough Ether or tokens.
Assessed type
Invalid Validation