Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 445 wardens!

Checkmark

Receive the email at any hour!

Ad

User influence on DNA via fighters.length in mintFromMergingPool() (unmitigated issue 3. grouped under M-05)

mediumCode4rena

Lines of code

https://github.com/ArenaX-Labs/2024-02-ai-arena-mitigation/blob/d81beee0df9c5465fe3ae954ce41300a9dd60b7f/src/FighterFarm.sol#L366

Vulnerability details

Impact

The user can wait for an appropriate fighters.length to get a better DNA when minting from the merging pool.

Proof of Concept

A winning user can call MergingPool.claimRewards(), which calls FighterFarm.mintFromMergingPool(). Here the DNA is set as uint256(keccak256(abi.encode(to, fighters.length))). This means that the user can choose to call claimRewards() when fighters.length is such that the DNA gives better attributes.

Recommended Mitigation Steps

Note that there is also an issue with using to in setting the DNA (the mitigation error from the fix of #578). This mitigation fixes both of these. Set the DNA as blockhash(block.number - 1). This must be in a call from the admin, otherwise the user could wait for a good blockhash. Then in a second call by the user assign the fighter to the user, either through direct minting to the user, or mint the fighter to an escrow (e.g. FighterFarm itself) and then have the user transfer it to himself in the second call.

Assessed type

Other

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb