Closed c4-bot-8 closed 6 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #136
HickupHH3 marked the issue as unsatisfactory: Invalid
HickupHH3 marked the issue as unsatisfactory: Invalid
HickupHH3 marked the issue as unsatisfactory: Invalid
HickupHH3 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L333 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L343 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L346
Vulnerability details
Impact
The NFT owner (victim) will receive a game-losing penalty due to race condition between on-chain and off-chain. In addition, it can consume the voltage of the victim.
By quickly calling the game start API(ex. initiate 10 games very fast) and then transferring the NFT, it's possible to exhaust the victim's voltage.
Proof of Concept
Game does not processed on onchain, so interaction between offchain and onchain is necessary. Therefore, a race condition can occur.
The game execution flow is as follows.
updateBattleRecord
and registers results at the contractupdateBattleRecord
transaction endsA race condition can occur between steps 2 and 5. Even without front-running, if the user starts a game and immediately or after a slight delay requests to transfer the NFT, the NFT can be transferred between step2 and step5.
For example, let's say that after requesting a game from the frontend, the NFT used in the game is transferred to new owner(victim) just before
updateBattleRecord
is called in step 4.updateBattleRecord
can't know whether the user who actually played the game and the NFT owner at the time of theupdateBattleRecord
execution are the same. Therefore, the game result is registered to the victim. It can also consume the voltage of the victim.If a attacker creates a Poor AI, they can lose in the game on purpose. By intentionally losing in the game and transferring tokens, they can give damage the token recipient (victim). If used with another vulnerability (can transfer the staked NFT), attacker can lower the points of the victim and reduce the reward of the victim. Also, if attacker initiate a game with this NFT, attacker can force the victim to consume the voltage.
This is a PoC. Add it to the RankedBattle.t.sol file and test it.
Using a vulnerability that can transfer NFT in a staking state, move NFT and the
accumulatedPointsPerAddress
of the victim is reduced. This reduce the amount of reward the victim can receive.Also, the victim's voltage is used. Voltage can be consumed regardless of whether it is staked or not. In this PoC, the game was only played once, but if attacker quickly start the game 10 times and then transfer NFT, attacker will be able to exhaust a lot of voltage of victim.
Recommended Mitigation Steps
Before requesting the game server, make a contract call to lock the token. After the game is over, unlock it.
Assessed type
Timing