The function EntropyGenerator::initializeAlphaIndices is used for selecting index points for the 999999 Entropy, which is the "Golder God" entity.
This function can only be called by the owner, because it has the onlyOwner modifier. The problem arises when the function forgeWithListed is called from the EntityForging contract:
As we can see, the value of the newTokenId is derived by calling the forge function in the TraitForgeNft contract.
The forge function on the other side calls the internal function _mintNewEntity, so we can get the new token id. In the _mintNewEntity there is a check if we have to transition to a new generation. If that's the case, we are going to call the _incrementGeneration function, because we are going to enter the first if-statement: In the _incrementGeneration function we call the function to transition to a new generation:
The problem arises, when we have to call the entropyGenerator.initializeAlphaIndices() function. Since the caller of the function is going to be the TraitForgeNft contract and not the owner, the function will revert. leading to not being able to transition to a new generation. This function is also called in the mintToken and mintWithBudget functions.
Impact
This finding impacts the 'Forging' aspect of the protocol. When it is time for a new generation, the forging of new NFT-s would be blocked, since the transactions are always going to revert.
Recommended Mitigation
Change the access control of EntitiyForging::forgeWithListed() from
modifier onlyAllowedCaller() {
- require(msg.sender == allowedCaller, "Caller is not allowed");
+ require(msg.sender == allowedCaller || msg.sender == owner(), "Caller is not allowed");
_;
}
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntropyGenerator/EntropyGenerator.sol#L206
Vulnerability details
Vulnerability Details:
The function
EntropyGenerator::initializeAlphaIndices
is used for selecting index points for the 999999 Entropy, which is the "Golder God" entity. This function can only be called by the owner, because it has theonlyOwner
modifier. The problem arises when the functionforgeWithListed
is called from theEntityForging
contract:As we can see, the value of the
newTokenId
is derived by calling theforge
function in theTraitForgeNft
contract. Theforge
function on the other side calls the internal function_mintNewEntity
, so we can get the new token id. In the_mintNewEntity
there is a check if we have to transition to a new generation. If that's the case, we are going to call the_incrementGeneration
function, because we are going to enter the firstif-statement
: In the_incrementGeneration
function we call the function to transition to a new generation:The problem arises, when we have to call the
entropyGenerator.initializeAlphaIndices()
function. Since the caller of the function is going to be theTraitForgeNft
contract and not the owner, the function will revert. leading to not being able to transition to a new generation. This function is also called in themintToken
andmintWithBudget
functions.Impact
This finding impacts the 'Forging' aspect of the protocol. When it is time for a new generation, the forging of new NFT-s would be blocked, since the transactions are always going to revert.
Recommended Mitigation
Change the access control of
EntitiyForging::forgeWithListed()
fromAssessed type
Access Control