Closed c4-bot-9 closed 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #56
HickupHH3 changed the severity to QA (Quality Assurance)
HickupHH3 marked the issue as grade-c
very broad and generic description on signatures
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/FighterFarm.sol#L191-L222 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/FighterFarm.sol#L199-L206 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L270-L271 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L271
Vulnerability details
Impact
The
AAMintPass
andFighterFarm
contracts leverage signatures from a delegated off-chain server to control access for operations like claiming NFTs. For example: src/FighterFarm.solA few risks here:
Some of the potential issues with the signature validation approach here include:
So while the use of
eth_sign
andecrecover
is good practice, additional controls around uniqueness, freshness, and expiration of approved signatures would make the system more tamper-proof.Proof of Concept
The
claimFighters
function allows minting new NFT fighters upon presentingIt first constructs a hash of key request details, validates the signature, then creates the NFTs.
The Vulnerability Root Cause is that the signed message hash lacks any nonce, timestamp, or other claim-specific details that would uniquely identify the request. This allows on-chain replay attacks.
Attack Vectors
claimFighters
with a valid signature and mints NFTssrc/FighterFarm.sol#L199-L206
Impact
Enables dishonest minting of NFTs not approved via valid signature. Could lead to loss of exclusivity or fairness in distribution.
The
RankedBattle
contract allows staking and managing NFT fighters for ranked matches. There is withdrawal logic checking the caller owns the fighter token: src/RankedBattle.sol#L270-L271This snapshot ownership check could go stale if the fighter NFT was transferred right before unstaking.
Scenario
Impact on Platform
This would wrongly allow users to withdraw staked tokens sent by others. At scale across users, it could enable theft of stakes and damage system integrity.
https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/RankedBattle.sol#L271
Mitigation Recommendation
Compute owner also considering pending ownership change transactions in mempool or event logs.
Tools Used
Manual Review
Recommended Mitigation Steps
Solution
Add a incrementing nonce or timestamp to each hash/signature to ensure freshness and uniqueness.
Assessed type
Invalid Validation