AI Arena Mitigation Review details

• Total Prize Pool: $21,000 in USDC
  • HM awards: $18,000 in USDC
  • Judge awards: $3,000 in USDC
• Join C4 Discord to register
• Submit findings using the C4 form
• Read our guidelines for more details
• Starts April 8, 2024 20:00 UTC
• Ends April 15, 2024 20:00 UTC

Important note

Each warden must submit a mitigation review for every individual PR listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.

Findings being mitigated

Mitigations of all High and Medium issues will be considered in-scope and listed here.

• H-01: A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters
• H-02: Non-transferable GameItems can be transferred with GameItems::safeBatchTransferFrom(...)
• H-03: Players have complete freedom to customize the fighter NFT when calling redeemMintPass and can redeem fighters of types Dendroid and with rare attributes
• H-04: Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType
• H-06: FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8
• H-07:Fighters cannot be minted after the initial generation due to uninitialized numElements mapping
• H-08: Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the claimRewards() function
• M-03: Fighter created by mintFromMergingPool can have arbitrary weight and element
• M-04: DoS in MergingPool::claimRewards function and potential DoS in RankedBattle::claimNRN function if called after a significant amount of rounds passed.
• M-05: Can mint NFT with the desired attributes by reverting transaction
• M-06: NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)
• M-08: Burner role can not be revoked

Overview of changes

• Fixed issues with tokenId restrictions: There was an issue when re-rolling for fighters with token IDs greater than 255 which has been addressed.

• Override fixes in safeTransferFrom

• DNA generation fixes: Issues in the generation process during minting from the merging pool and in the re-roll and claim functions have been fixed.

• Non-transferable GameItems fix: There was a bug that allowed non-transferable game items to be transferred, which has been fixed.

• Mitigation of reentrancy in claimRewards: Reentrancy attack was mitigated.

• Uninitialized numElements variable: An uninitialized variable numElements was fixed.

• ECRecover vulnerability: A known vulnerability with ECRecover was addressed.

• Update to ranking and staking mechanisms: There were fixes to staking requirements and an update to ranked battle contracts.

Areas of specific concern would be:

• Reentrancy vulnerabilities.
• Signature malleability in ECRecover.
• Non-transferable items being transferred.

Scope

Branch

Mitigations branch

Mitigations of High & Medium Severity Issues

Additional scope to be reviewed

These are additional changes that will be in scope.

Out of Scope

• H-05: Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win
• M-01: Almost all rarity rank combinations cannot be, and are not uniformly, generated
• M-02: Minter / Staker / Spender roles can never be revoked`..,
• M-07: Erroneous probability calculation in physical attributes can lead to significant issues
• M-09: Constraints of dailyAllowanceReplenishTime and allowanceRemaining during mint() can be bypassed by using alias accounts & safeTransferFrom()