code-423n4 / 2024-02-ai-arena-findings

4 stars 3 forks source link

Missing validation in redeemMintPass() allows gamer to obtain any fighter type and custom attributes #939

Closed c4-bot-2 closed 8 months ago

c4-bot-2 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L233

Vulnerability details

Impact

The redeemMintPass() function is used to redeem AA mint passes for fighter NFTs. The issue is that the function allows any user/gamer to pass in the parameters fighterTypes, iconTypes and mintPassDnas of their choice.

Impacts:

  1. Users can always provide fighterTypes as 1 to mint rare dendroid fighter NFT.
  2. Users can always pass 2 or 3 for iconsType to get the rarest physical attributes (i.e. beta helmet, red diamond, bowling ball). Any values other than 2 or 3 (except 0) would give them red diamonds only. Overall, icons are a rare subtype of champions, so getting red diamonds are still rare.
  3. Users can trial and error (or fuzz test if skillful) by keccak256 hashing mintPassDnas values offchain to receive the rarest physical attribute probability indexes for champions and icons. It could also be used to receive their preferred weight and element type.

On further discussions with the sponsor. the expected behaviour is for their server to give users the correct inputs and to have validation onchain.

Proof of Concept

It would be cumbersome to explain each of the issues given the complexities in calculations and value assignments. The coded POC below demonstrates every impact mentioned above to its best.

How to use this POC:

Impact 1 confirmation

[PASS] testUserCanCreateDendroids() (gas: 594212)
Logs:
  Impact 1 confirmed - User received dendroid (every attribute is 99)

Impact 2 confirmations

[PASS] testUserCanCreateIconsWithBetaHelmetAndRedDiamonds() (gas: 648773)
Logs:
  Impact 2 - User receives icon with beta helmet and red diamonds
[PASS] testUserCanCreateIconsWithBowlingBallAndRedDiamonds() (gas: 649152)
Logs:
  Impact 2 - User receives icon with bowling ball and red diamonds

Impact 3 confirmations

[PASS] testUserCanReceiveElementOfTheirChoice() (gas: 12206)
Logs:
  Impact 3 - User receives expected element if he uses mintPassDna value: dna
[PASS] testUserCanReceiveWeightOfTheirChoice() (gas: 4734)
Logs:
  Impact 3 - User receives expected weight if he uses mintPassDna value: dna

Tools Used

Manual Review

Recommended Mitigation Steps

Since the expected behaviour is for the team's game server to give users the correct inputs and to have validation onchain, the implementation would be similar to how claimFighters() is implemented.

For parameter fighterTypes and iconsType, consider hashing it to a msgHash and verify if with the signature (additional parameter to be provided) to ensure the delegatedAddress from the frontend has provided the correct inputs. Make sure to also include a nonce in the msgHash to avoid replay attacks.

In case of parameter mintPassDnas, remove the parameter and use the hash of msg.sender and fighters.length as done in claimFighters(). The hash could also include the mintPassId the user is redeeming.

The above solutions are just recommendations that prevent this issue from occurring. The team can perform their own validation mechanism based on how they provide parameters from the frontend.

Assessed type

Other

c4-pre-sort commented 8 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #33

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #1626

c4-judge commented 8 months ago

HickupHH3 marked the issue as satisfactory