Closed c4-bot-5 closed 6 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
This would cause an issue indeed unless the new owner chooses to play in the next round.
brandinho marked the issue as disagree with severity
The severity should be medium.
This comment is an exaggeration: "the game server can never update the battle data for this tokenId ever." Updates only won't work for the current round.
Also, this DoS only happens if a user bypasses the safeTransferFrom (from another issue we are going to resolve), so if we fix that, then this is not an issue. The reason is because
accumulatedPointsPerFighter[tokenId][roundId] > 0
is only positive if the previous owner had staked and won. This means that in order to transfer (assuming we fix the override), they need to unstake. If they unstake, then the new owner will NOT be able to restake for that round, which means this line of code will never get triggered.
brandinho (sponsor) confirmed
HickupHH3 changed the severity to 2 (Med Risk)
HickupHH3 marked the issue as satisfactory
Also, this DoS only happens if a user bypasses the safeTransferFrom (from another issue we are going to resolve), so if we fix that, then this is not an issue. The reason is because accumulatedPointsPerFighter[tokenId][roundId] > 0 is only positive if the previous owner had staked and won. This means that in order to transfer (assuming we fix the override), they need to unstake. If they unstake, then the new owner will NOT be able to restake for that round, which means this line of code will never get triggered.
The root cause seems to be that when unstaking, a fighter with 0 remaining stake amount but has non-zero stake at risk is updated to be unstaked, which causes the DoS when transferred to another owner. This is independent from the override. See #137 as an example.
I believe the underflow with the amountLost
mapping stems from the same issue, but I'll leave it to post-judging for other wardens to correct me if i'm wrong.
Severity: 2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
The solution mentioned in #833 might also solve this issue, to _addResultPoints()
only if the NFT remains staked for that round. Then the stake-at-risk funds would be deemed lost and swept (whether this is acceptable is another issue, as long as the stake is reduced, the NFT will be marked as unstaked for the current round).
Full credit: finding root vulnerability: change updateFighterStaking()
to false
when _stakeAtRiskInstance.getStakeAtRisk(tokenId) != 0
Partial credit: 50%. Subtraction underflow issues of amountLost
|| accumulatedPointsPerAddress
mapping without some mention of the main vuln
HickupHH3 changed the severity to 3 (High Risk)
HickupHH3 changed the severity to 2 (Med Risk)
HickupHH3 marked the issue as partial-50
HickupHH3 marked the issue as satisfactory
HickupHH3 marked issue #137 as primary and marked this issue as a duplicate of 137
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L343 https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/RankedBattle.sol#L486
Vulnerability details
Impact
Code from RankedBattle::_addResultPoints
This issue is not related to frontrunning or staked amount manipulation, but uniquely related to transfering tokens after unsatking because the owner doesn;t want to battle by staking anymore. So now previously he won some points. And these points can be used to claim tokens if won, or lost then points are decreased. This is when the DOS is impacting, by changing owner by transfering the token to another wallet or worse selling in marketplace. So now the points cannot be decreased even if lost, and he can use those points for claiming NRN for the rounds he previously won. This is unfair claiming of rewards, and also the game server can never update the battle data for this tokenId ever. It will be worse when the token is sold on markets, where the new owner cannot win any more battles with that fighter nft.
If the
fighterOwner
is changed for a token, then that token's battle points cannot be updated becauseaccumulatedPointsPerAddress[fighterOwner][roundId]
will be 0, and if the owner is changed, then 0 - some points will revert and its a DOS.See POC section for the attack scenario
Proof of Concept
sample attack scenario, doesn't have to be exactly like this, the user just have to own some points won previously and stake at risk should be > 0. There is so much time in between these activities and som amy oppurtunities to unstake, so no need to frontrun. for example: if 90+ volate is spent, the game server cannot call update battle record.
updateBattleRecord
action will fail due to the DOS mentioned above.claimNRN
, so now he can mint new nfts by merging, so he not not caused DOS to update battle but also claim reward for he doesn't deserve.Tools Used
Manual + Foundry testing
Recommended Mitigation Steps
Do not keep track of
accumulatedPointsPerAddress
onchain, but keep track on offchain, because it doesn;t serve any purpose on chain, because it is not validating.Assessed type
DoS