kaiju-p2e-bug-bounty's Introduction

KaijuKingz P2E Bug Bounty

Bug Bounty Details: https://medium.com/@AugmintedLabs/kaijukingz-p2e-bug-bounty-864f7fe9e9c

P2E announcement: https://medium.com/@AugmintedLabs/kaijukingz-p2e-ecosystem-dc9577ff8773

Community-built infographic (Credit: @HelmiMastuki)

Simulator

Community-built P2E Simulator (Credit: @chouapo) can be used to get a better understanding of the flow of resources in the P2E ecosystem. Simulator does not demonstrate batch extraction mechanic.

Contracts

The ecosystem is made up of a total of 8 contracts:

KaijuKingz (Deployed) - The core ERC-721 contract. These are "Genesis" and "Baby" Kaijus.
RWaste (Deployed) - ERC-20 token passively earned by Genesis tokens at a rate of 5/day.
Scales - ERC-20 token earned by staking Genesis and Baby tokens at a rate of 15/day and 5/day respectively. Staked Genesis generate RWaste tokens for the staking contract, with uses [REDACTED].
Mutants (Deployed) - A supplemental ERC-721 collection. These are "Mutant" Kaijus that are able to be experimented on.
MutantScales - An auxiliary contract to the "Scales" contract that adds passive earning functionality for Mutant tokens at a rate of 2/day.
DNA - An ERC-1155 collection. There are 5 elemental types of DNA, each having 5 categories of rarity (common, uncommon, rare, epic, legendary). DNA is earned by running experiments on Mutants, paid for in Scales.
Scientists - A supplemental ERC-721 collection. Scientists earn rewards (currently Scales and DNA) when experiments fail.

Hardhat Commands

npx hardhat accounts
npx hardhat compile
npx hardhat clean
npx hardhat test
npx hardhat node
npx hardhat help
REPORT_GAS=true npx hardhat test
npx hardhat coverage
npx hardhat run scripts/deploy.js
node scripts/deploy.js
npx eslint '**/*.js'
npx eslint '**/*.js' --fix
npx prettier '**/*.{json,sol,md}' --check
npx prettier '**/*.{json,sol,md}' --write
npx solhint 'contracts/**/*.sol'
npx solhint 'contracts/**/*.sol' --fix

kaiju-p2e-bug-bounty's People

Contributors

Stargazers

Watchers

kaiju-p2e-bug-bounty's Issues

[Minor / Improvement] Create function to claim Scales from multiple scientists

https://github.com/augmintedlabs/kaiju-p2e-bug-bounty/blob/master/contracts/Scientists.sol#L233-L237

Explanation:

It would be nice to be able to claim pending scales from multiple scientists. It would get a little annoying if you say, had 15 scientists and wanted to claim all at once since you would have to do 15 separate transactions.

[Critical] msg.sender not checked when calling unstake() before transfering

https://github.com/augmintedlabs/kaiju-p2e-bug-bounty/blob/master/contracts/Scales.sol#L263-L266

Explanation:

When staking a baby or genesis, the owner is recorded in the tokenOwners mapping. However, this is is not checked before transferring the NFT. Therefore an attacker would be able to unstake an NFT that is not theirs.

    function unstake(uint256[] calldata tokenIds) public nonReentrant {
        if (tokenIds.length == 0 || tokenIds.length > MAX_PER_TX) revert Scales_InvalidTokenAmount();

        _update(_msgSender());

        uint16 genesisCount;
        for (uint256 i; i < tokenIds.length; i++) {
            uint256 tokenId = tokenIds[i];
            // Should check that tokenOwners[tokenId] == _msgSender()
            KAIJU.safeTransferFrom(address(this), _msgSender(), tokenId);
            tokenOwners[tokenId] = address(0);

            if (tokenId < KAIJU_GENESIS_SUPPLY) genesisCount += 1;

            emit Unstake(tokenId, _msgSender());
        }

        accountInfo[_msgSender()].shares -= uint16(tokenIds.length + (genesisCount * GENESIS_BONUS));
    }

Attack Scenario:

Stake a baby or gen so that the transaction doesn't get reverted for an underflow on this line https://github.com/augmintedlabs/kaiju-p2e-bug-bounty/blob/master/contracts/Scales.sol#L274.
Call unstake() for an id that the sender does not own. Because the tokenOwner mapping isn't used, the nft would be transferred to the wrong owner. Attackers would be able to swap a baby for a gen.

Exploitability: High

Recommendation:

Check that the msg.sender is the owner of the id by using the tokenOwners mapping.

    function unstake(uint256[] calldata tokenIds) public nonReentrant {
        if (tokenIds.length == 0 || tokenIds.length > MAX_PER_TX) revert Scales_InvalidTokenAmount();

        _update(_msgSender());

        uint16 genesisCount;
        for (uint256 i; i < tokenIds.length; i++) {
            uint256 tokenId = tokenIds[i];

            // Check msg.sender is owner of tokenId staked in contract
            if ( tokenOwners[tokenId] != _msgSender() ) revert Scales_YouDontOwnThis();

            KAIJU.safeTransferFrom(address(this), _msgSender(), tokenId);
            tokenOwners[tokenId] = address(0);

            if (tokenId < KAIJU_GENESIS_SUPPLY) genesisCount += 1;

            emit Unstake(tokenId, _msgSender());
        }

        accountInfo[_msgSender()].shares -= uint16(tokenIds.length + (genesisCount * GENESIS_BONUS));
    }

Recommend Projects

augmintedlabs / kaiju-p2e-bug-bounty Goto Github PK

kaiju-p2e-bug-bounty's Introduction

KaijuKingz P2E Bug Bounty

Simulator

Contracts

Hardhat Commands

kaiju-p2e-bug-bounty's People

Contributors

Stargazers

Watchers

Forkers

kaiju-p2e-bug-bounty's Issues

[Minor / Improvement] Create function to claim Scales from multiple scientists

[Critical] msg.sender not checked when calling unstake() before transfering

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent