This repository has been archived by the owner on May 5, 2024. It is now read-only.
cergyk - Winning agent id may be uninitialized when game is over, locking grand prize #31
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
cergyk
high
Winning agent id may be uninitialized when game is over, locking grand prize
Summary
In the
Infiltration
contract, theagents
mapping holds all of the agents structs, and encodes the ranking of the agents (used to determine prizes at the end of the game).This mapping records are lazily initialized when two agents are swapped (an agent is either killed or escapes):
Killed/Escaped
and itsagentId
is setagentId
is setThis is the only moment when the
agentId
of an agent record is set.This means that if the first agent in the array ends up never being swapped, it keeps its agentId as zero, and the grand prize is unclaimable.
Vulnerability Detail
We can see in the implementation of
claimGrandPrize
that:https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L658
The field
Agent.agentId
of the struct is used to determine if the caller can claim. Since the id is zero, and it is and invalid id for an agent, there is no owner for it and the condition:https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L1666-L1670
Always reverts.
Impact
The grand prize ends up locked/unclaimable by the winner
Code Snippet
Tool used
Manual Review
Recommendation
In
claimGrandPrize
use 1 as the default ifagents[1].agentId == 0
:The text was updated successfully, but these errors were encountered: