Open c4-bot-1 opened 5 months ago
jhsagd76 marked the issue as satisfactory
jhsagd76 marked the issue as selected for report
jhsagd76 marked the issue as primary issue
Per request from the judge @jhsagd76 here, updating the labels on this issue accordingly.
Lines of code
https://github.com/ArenaX-Labs/2024-02-ai-arena-mitigation/blob/d81beee0df9c5465fe3ae954ce41300a9dd60b7f/src/FighterFarm.sol#L349-L373
Vulnerability details
Players can exploit
mintFromMergingPool
dna calculation to mint rare fighterImpact
This issue is strongly related to issue #1017 - Users can get benefited from DNA pseudorandomly calculation. It describes 4 impacts:
We want to focus on 2. In [issue #1017] is reported:
So, before mitigation,
a user can not manipulate the output hash
, butcan claim the MergingPool reward to mint and NFT when the output hash will be benefitial for him
.Attempted mitigation was made in #3:
We think that this mitigation doesn't solve the issue. Furthermore, it introduces a new vulnerability. Now, the user can
manipulate the output hash
, because it depends on theto
address, which can be manipulated by the user.Proof of Concept
The PoC of this issue is similar to the ones in #53 and #519.
After mitigation, the attributes of the fighter obtained using the FighterFarm.mintFromMergingPool() depends on two parameters:
The value passed to line L366 represents the
dna
. It depends on theto
address and thefighters.length
.FighterFarm.mintFromMergingPool()
can be called successfully just by the contract at_mergingPoolAddress
, i.e., MergingPool.sol, using the MergingPool.claimRewards() method:So, a player can
mintFromMerginPool
only when he/she claims a reward after he/she wins a battle.Let's explain the attack vector. Before the next round,
fighter.length = 0
. Eve was able to forecast that a very rare fighter can be minted using a specific address, calledaddress_E
, and whenfighter.length = 10
. She can do that because she can precompute thedna
value, and use AiArenaHelper.createPhysicalAttributes() to forecast the outcome attributes.Using Create2, Eve can create a malicious contract at address
address_E
. Then Eve mints a new fighter using, for example, a mint pass and tries to win the current round. If she manages to do that, she can use the contract at addressaddress_E
to claim a reward at the current round.Assuming that after this round,
fighter.length = 0
still holds. The malicious contract could implement a call toMergingPool.claimRewards()
that is called continuously and reverts untilfighter.length = 10
.In this way, Eve is sure to claim a reward with
address_E
andfighter.length = 10
, and thus obtain the fighter with wanted characteristics.Tools Used
Visual inspection
Recommended Mitigation Steps
The problem relies on the usage of an external controlled input by a pseudorandom algorithm. We suggest introducing an oracle to obtain random input numbers, or at least to use
block.timestamp
, to make harder to forecast when thefighter.length
reaches the wanted value:Assessed type
Other