Winning NFT owner/admin can rug pull attack or DoS attack on winner by removing the winning NFT. #226
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-146
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L295
Vulnerability details
Impact
Given the current logic, it is possible to call the
redraw
method even afterrecoverTimelock
has passed. If the owner does so, the contract will select a new winner for the winning NFT.But it will be up to the owner to give as much time to the winner to claim the winning NFT, meaning the owner can interrupt the game. These are the possible attacks:
Rug pull: The owner calls the
lastResortTimelockOwnerClaimNFT
method and the current winner will never be able to claim the NFT he won due to a rug-pull by the winning NFT owner.DoS: If the owner wants to choose a new winner, he can call
lastResortTimelockOwnerClaimNFT
to retrieve NFT back and the owner will wait till the redraw period is over. Once it is over, the owner can transfer back the winning NFT back to the contract (usingtransferFrom
) and call theredraw
method again to select a new winner. This way the previous winner will get no chance to claim the NFT he won.The impact is high as this will affect the winning users directly and the winning NFT owner will be able to interrupt while the game is still going on.
Proof of Concept
This is a test of how this vulnerability can be exploited.
Tools Used
Foundry
Recommended Mitigation Steps
There could be 2 mitigations:
redraw
oncerecoverTimelock
is already passed.redraw
oncerecoverTimelock
is already passed, then therecoverTimelock
value should be updated as well likedrawTimelock
whenever the owner calls theredraw
method. This will give sufficient time to the winning user to claim the won NFT.The text was updated successfully, but these errors were encountered: