-
Notifications
You must be signed in to change notification settings - Fork 6
klaus - heal - attacker can request heal to stop other users from trading NFTs #57
Comments
The following three issues has the same core root cause of no access control for healing, enabling anybody to heal in place of others via Note for watsons: While the fixes mentioned differ, this findings should be duplicated based on sherlocks rule as the root cause is due to anybody being able to heal anybody else's agent. Additionally, the affected lines of code mentioned are all pointing to the same logic in the I simply selected issue #57 due to a well coded PoC, even though it too lack description of all possible impacts. #2, #82, #119 - Mentions healing that affects overall game state of getting wounded |
This is a valid PvP game strategy. |
After further consideration: #2, #82 and #119 - I am convinced all three of this are not vulnerabilities since helping other users heal their agents has no benefit to the user healing. It only reduces their chances of winning themselves or help with increasing the chances of a user benefitting from the heal. Reducing the winning chances of other users just because a user heal in place of others is not a vulnerability but instead an intended function of #51 and #57 - This test here supports the sponsors claim of #73, #106 - According to sherlock rules, this should at most be low severity. DoS is not permanent, and the workaround is simply to heal agents one at a time. The only funds lost is gas. This is in addition to the nature of the protocol being a PVP Game.
|
klaus
medium
heal - attacker can request heal to stop other users from trading NFTs
Summary
Only active, wounded agents can be transferred. Since anyone can request heal the wounded agent owned by another user, attacker can prevent user sell(transfer) agent NFT.
Vulnerability Detail
The
heal
function allows anyone to request to heal the wounded agent that they do not own. Only active or wounded agents can be transferred, not healing, escaped, or dead agents.Users can freely buy and sell agent NFTs on the NFT market. However, if the attacker requests to heal the wounded agent that is selling, the user will not be able to trade agent NFT.
This is the PoC code. Anyone can request to heal the agent, and this agent is no longer transferable.
Impact
Code Snippet
https://github.com/sherlock-audit/2023-10-looksrare/blob/86e8a3a6d7880af0dc2ca03bf3eb31bc0a10a552/contracts-infiltration/contracts/Infiltration.sol#L801
https://github.com/sherlock-audit/2023-10-looksrare/blob/86e8a3a6d7880af0dc2ca03bf3eb31bc0a10a552/contracts-infiltration/contracts/Infiltration.sol#L925-L928
Tool used
Manual Review
Recommendation
Make sure that only the agent owner can request to heal. If
heal
is called from InfiltrationPeriphery contract, passmsg.sender
as parameter and check it.The text was updated successfully, but these errors were encountered: