-
Notifications
You must be signed in to change notification settings - Fork 7
mstpr-brainbot - Clubs can mint +1 players more than maxGenerationId #152
Comments
Marked as 'Will Fix'. I believe the solution here is instead to update the documentation to say "At game launch this value will be 9". Because the documentation as far as I'm aware is correct in that it says |
Escalate for 10 USDC This should be considered Low/Informational. The variable is named Furthermore, to imply that a Ultimately, it's a configuration variable and the sponsor is updating the documentation to reflect the value that will be set to at launch. A documentation update should only be considered as informational. There is no exploit here. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalate for 10 USDC The docs say that Then going by the docs, if |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Sponsor here, agreed with @NishithPat . My original statement is incorrect, the documentation should be updated to remove the statement "the number of players that can be minted per cohort". Their suggestion is correct |
Based on the comments above, NishithPat escalation is valid |
Escalation accepted Valid medium |
|
mstpr-brainbot
high
Clubs can mint +1 players more than maxGenerationId
Summary
As stated in doc here
Initially clubs should be able to mint 10 players. However, clubs can always mint +1 players more than
maxGenerationId
Vulnerability Detail
An off-by-one error is existed in academy contract when checking the generation ID while minting players. The code currently allows clubs to mint up to
maxGenerationId + 1
players, which is inconsistent with the documentation. If clubs send generation IDs in the following sequence: 0-1-2-3-4-5-6-7-8-9-10, all of these numbers will be valid, and the club will be able to mintmaxGenerationId + 1
players instead of the intendedmaxGenerationId
Impact
Since this is not intended behaviour according to the protocol docs, I'll label it as high.
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumAcademy.sol#L186-L188
here code checks whether the generation id is higher than maxGeneration or not, and it can be equal to maxGeneration.
Tool used
Manual Review
Recommendation
Use
generationId >= _maxGenerationId
or do not count the "0" indexThe text was updated successfully, but these errors were encountered: