This repository has been archived by the owner on May 5, 2024. It is now read-only.
cergyk - Winning agent id may be uninitialized when game is over, locking grand prize #31
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
0xhiroshi
added
Sponsor Confirmed
sherlock-admin
changed the title
|
Fix LGTM |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
cergyk
high
Winning agent id may be uninitialized when game is over, locking grand prize
Summary
In the
Infiltrationcontract, theagentsmapping holds all of the agents structs, and encodes the ranking of the agents (used to determine prizes at the end of the game).This mapping records are lazily initialized when two agents are swapped (an agent is either killed or escapes):
Killed/Escapedand itsagentIdis setagentIdis setThis is the only moment when the
agentIdof an agent record is set.This means that if the first agent in the array ends up never being swapped, it keeps its agentId as zero, and the grand prize is unclaimable.
Vulnerability Detail
We can see in the implementation of
claimGrandPrizethat:https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L658
The field
Agent.agentIdof the struct is used to determine if the caller can claim. Since the id is zero, and it is and invalid id for an agent, there is no owner for it and the condition:https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L1666-L1670
Always reverts.
Impact
The grand prize ends up locked/unclaimable by the winner
Code Snippet
Tool used
Manual Review
Recommendation
In
claimGrandPrizeuse 1 as the default ifagents[1].agentId == 0:function claimGrandPrize() external nonReentrant { _assertGameOver(); uint256 agentId = agents[1].agentId; + if (agentId == 0) + agentId = 1; _assertAgentOwnership(agentId); uint256 prizePool = gameInfo.prizePool; if (prizePool == 0) { revert NothingToClaim(); } gameInfo.prizePool = 0; _transferETHAndWrapIfFailWithGasLimit(WETH, msg.sender, prizePool, gasleft()); emit PrizeClaimed(agentId, address(0), prizePool); }The text was updated successfully, but these errors were encountered: