Voltage battery replenishment could cost overpayment

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/VoltageManager.sol#L93-L99

Vulnerability details

Impact

The current mechanism for voltage battery replenishment in the VoltageManager contract, through the use of the useVoltageBattery function, can lead to inefficient utilization of Neuron tokens, potentially a high-value in-game currency. Given that each ERC1155 voltage battery token requires Neuron tokens for minting, the ability to use a battery for minor voltage replenishments (e.g., from 90 to 100) could result in a disproportionate expenditure of Neuron tokens relative to the utility gained. This inefficiency can lead to unnecessary depletion of players' ERc1155 reserves, which might have been allocated more strategically or economically within the game's ecosystem. The severity of this issue is significant as it directly impacts the in-game economy and player resource management, potentially leading to economic imbalances and affecting player retention and satisfaction.

Proof of Concept

The function allowing for the use of a voltage battery is as follows:

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/VoltageManager.sol#L93-L99

    function useVoltageBattery() public {
        require(ownerVoltage[msg.sender] < 100);
        require(_gameItemsContractInstance.balanceOf(msg.sender, 0) > 0);
        _gameItemsContractInstance.burn(msg.sender, 0, 1);
        ownerVoltage[msg.sender] = 100;
        emit VoltageRemaining(msg.sender, ownerVoltage[msg.sender]);
    }

It checks if the player's voltage is less than 100 and if they possess at least one ERC1155 game token. If both conditions are met, it burns one ERC1155 token to set the player's voltage to 100, without considering how much voltage is actually being replenished.

This implementation does not consider the current voltage level beyond being less than 100, allowing players to use a voltage battery for minor replenishments. Given the cost of minting ERC1155 tokens with Neuron tokens, this can lead to suboptimal spending of valuable resources.

Additionally, the voltage of the initiator isn't spent until _gameServerAddress calls updateBattleRecord(). There's no in-game voltage replenish needed and no rush for it till ownerVoltage[msg.sender] == 10 after the battle to have the last 10 voltage spent.

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/RankedBattle.sol#L345-L347

        if (initiatorBool) {
            _voltageManagerInstance.spendVoltage(fighterOwner, VOLTAGE_COST);
        }

Tools Used

Manual

Recommended Mitigation Steps

Amend the useVoltageBattery function to allow usage only when the voltage is fully depleted or below a certain threshold that justifies the use of the function. This change ensures that the Neuron tokens spent on minting ERC1155 game voltage token are used economically, providing maximum utility and preserving player resources.

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/VoltageManager.sol#L94

-        require(ownerVoltage[msg.sender] < 100);
+        require(ownerVoltage[msg.sender] == 0);

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #27

[c4-judge]

HickupHH3 changed the severity to QA (Quality Assurance)