Closed c4-bot-6 closed 8 months ago
raymondfam marked the issue as insufficient quality report
The function logic would revert circumventing paving the way as FCFS to the next transaction by others.
raymondfam marked the issue as duplicate of #80
HickupHH3 marked the issue as unsatisfactory: Invalid
Hey, @HickupHH3!
This isn't duplicate of issue #80. Please review it again!
wholeheartedly DISagree; this is a general DoS issue that can be applied to all protocols. stuff txns to prevent liquidations, swapping etc.
but stuffing liquidations can't be done endlessly (in the more situation) and without ANY purpose, right.
here, users have purpose and they just need to complete the transaction in no more than one day, which is very cheap on Arbitrum. moreover, the impact is much more than DoS, a malicious user can exploit the daily allowance mechanism to monopolize the minting of rare or valuable game items. By performing block stuffing - filling blocks with dummy transactions, the malicious user can delay other transactions, ensuring their own minting transactions are processed as soon as the daily allowance replenishes.
also there is another bug in prevous c4 contest about block stuffing which was considered as valid medium severity issue: code-423n4/2023-05-venus-findings#525
@HickupHH3
disagree, in this context, it'll be like participating in a whitelist token sale, FCFS. there isn't a loss to the protocol; users unfortunately know that it's whilst stock last, if they fail, then too bad.
yes, when we look at this side, I also think that:
But, this bug leads to unfair obtaining the full amount (items) of specific NFTs from a specific user/s, which will break the logic of AI Arena protocol as game items are digital assets that provide players with various benefits, abilities, etc, within the AI Arena game. These items can range from weapons and armor to unique skins and collectibles, each with specific attributes and value., which is definately not the protocol desire.
as in my report writes:
Impact: This behavior allows the malicious user to unfairly accumulate rare or valuable items, undermining the fairness and balance intended by the daily allowance mechanism. This exploit undermines the integrity of the game's economy and the fairness of item distribution. It allows individuals to gain an unfair advantage, potentially hoarding valuable items and disrupting the intended gameplay dynamics.
@HickupHH3
Cheers!
Rate limiting is kinda in-place already with allowanceRemaining
(per user, per item).
Rate limiting is kinda in-place already with
allowanceRemaining
(per user, per item). yep and my report describe how this allowanceRemaining (daily allowance) can be bypassed.
It's crucial to differentiate between general DoS vulnerabilities that affect various protocols and the specific exploit (aka my issue) within the AI Arena's GameItems.sol
minting mechanism. While you argues that this issue falls under a general DoS category applicable to all protocols, the nuances of the AI Arena protocol warrant a closer examination.
Let me explain.
Firstly, my issue leverages the daily allowance mechanism uniquely implemented in the AI Arena protocol, allowing a malicious user to monopolize the minting of rare or valuable game items. This is not merely a DoS attack but a strategic manipulation that undermines the fairness and competitive balance the daily allowance mechanism aims to ensure. In the context of AI Arena, where game items provide significant advantages, the ability to unfairly acquire these items can significantly disrupt the game's economy and player experience. Also the block stuffing cannot be done on every chain.
Furthermore, while you mentions that rate limiting through allowanceRemaining
is similar to participating in a whitelist token sale on a first-come-first-serve basis, this perspective overlooks the strategic abuse potential. Unlike a token sale, where early participation is the only requirement, my issue involves deliberately timing and congesting the network to exclude others from participating. This is not about being first; it's about denying others the opportunity to participate at all.
Lastly, the as we saw, the block stuffing issues in previous contests were acknowledged as valid medium severity issues, underscores the legitimacy of the block stuffing, because block stuffing cannot be done on every chain. The ability to manipulate the minting process not only results in DoS but also in an unfair accumulation of valuable assets, contrary to the intended design of the AI Arena protocol.
imo my issue is valid because it exploits specific mechanics of the AI Arena protocol to gain an unfair advantage, going beyond general network congestion issues. It undermines both the fairness and the integrity of the AI Arena game, which requires consideration and mitigation beyond that provided by existing speed limit measures.
@HickupHH3!
i don't see this being an issue: if the period was a couple of blocks, sounds do-able. but an entire day? those interacting with other DApps on Arbitrum will complain that their txns aren't going through; devs will step in and do something.
my decision on this is final, you may escalate to the appeal committee if you'd like.
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L147-L176 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L312-L315
Vulnerability details
Impact
The
GameItems.sol
contract in the AI Arena protocol is designed to manage the lifecycle of game items using the ERC-1155 standard, which includes minting, transferring, and burning of items. This contract plays a crucial role in the game's economy, allowing players to acquire, use, and trade various items within the game.Game items are digital assets that provide players with various benefits, abilities, or cosmetic enhancements within the AI Arena game. These items can range from weapons and armor to unique skins and collectibles, each with specific attributes and value.
Players can mint new game items by calling the
GameItems.sol#mint()
function, specifying thetokenId
of the item they wish to mint and the quantity. The minting process is subject to certain conditions, including the availability of the item (finite supply) and the player's daily allowance for that specifictokenId
.Each
tokenId
has a daily allowance mechanism. The daily allowance mechanism is a feature designed to limit the number of certain game items a player can mint within a 24-hour period. This is particularly important for rare or valuable items, ensuring fair distribution among players and maintaining the items' scarcity and value. The contract tracks the daily allowance for eachtokenId
per user, along with the time when the allowance will be replenished. Code Reference: Daily Allowance Mechanism*The minting relays on this daily allowance. Now, there is a serious problem, because malicious user can stuffing (the whole duration that is required for his daily allowance to replenish) with dummy transactions. The stuffing with dummy transactions is very cheap on Arbitrum. According to https://www.cryptoneur.xyz/en/gas-fees-calculator 50M gas (which is several whole blocks) - costs ~11.1192 USD$ on Arbitrum. So malicious user can exploit the daily allowance mechanism to monopolize the minting of rare or valuable game items. By performing block stuffing - filling blocks with dummy transactions, the malicious user can delay other transactions, ensuring their own minting transactions are processed as soon as the daily allowance replenishes.
Also important note here is that mining the block takes significantly more time than executing the transactions (as it writes in the following article: https://medium.com/hackernoon/the-anatomy-of-a-block-stuffing-attack-a488698732ae)
Proof of Concept
Impact: This behavior allows the malicious user to unfairly accumulate rare or valuable items, undermining the fairness and balance intended by the daily allowance mechanism.
This exploit undermines the integrity of the game's economy and the fairness of item distribution. It allows individuals to gain an unfair advantage, potentially hoarding valuable items and disrupting the intended gameplay dynamics.
Tools Used
Manual Review
Recommended Mitigation Steps
There isn't very elegant way to fix this issue, but the mitigation that I can recommend is
implement transaction rate limiting
. Introduce rate limiting for user mining transactions to prevent rapid succession that can lead to block overflows.Assessed type
Context