Open c4-bot-2 opened 7 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #33
raymondfam marked the issue as duplicate of #1626
HickupHH3 marked the issue as satisfactory
HickupHH3 marked the issue as selected for report
Mitigated here
brandinho (sponsor) confirmed
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L233-L263
Vulnerability details
The function redeemMintPass allows burning multiple mint passes in exchange for fighters' NFTs. It is mentioned by the sponsor that the player should not have a choice of customizing the fighters' properties and their type. However, nothing prevents a player from:
uint8[] fighterTypes
of values1
to mint fighters of types Dendroid.dna
provided led to minting fighters with rare physical attributes, copying those Dnas and passing them to the redeemMinPass to mint fighters with low rarity attributes. That is because creating physical attributes is deterministic, so providing the same inputs leads to generating a fighter with the same attributes.Impact
This issue has two major impacts:
Proof of Concept
For someone having valid mint passes, he calls the function redeemMintPass providing
fighterTypes
array of values 1. For each mint pass, the inner function _createNewFighter will be called passing the value 1 asfighterType
argument which corresponds to Dendroid, a new fighter of type dendroid will be minted for the caller.The player can also inspect previous transactions that minted a fighter with rare attributes, copy the provided
mintPassDnas
and provide them as argument in theredeemMintPass
. The_createNewFighter
function callsAiArenaHelper
to create the physical attributes for the fighter. The probability of attributes is deterministic and since the player provideddna
that already led to a fighter with rare attributes, his fighter will also have rare attributes.Tools Used
Manual Review
Recommended Mitigation Steps
The main issue is that the mint pass token is not tied to the fighter properties that the player should claim and the player has complete freedom of the inputs. Consider implementing a signature mechanism that prevents the player from changing the fighter's properties like implemented in claimFighters
Assessed type
Invalid Validation