This is the report from a security audit performed on Tronempire by gorbunovperm.
This is a game on a smart contract. The user for the in-game currency tickets buys several types of transport and receives a profit for it.
In total, 3 issues were reported including:
-
0 high severity issue.
-
1 medium severity issues.
-
2 low severity issues.
-
0 owner privileges.
-
0 minor observations.
When the transport is joined, the values are summed. tto.count and tfrom.count are uint16 with a maximum value of 65535. But when summed, they can exceed this value. There is a check at line 403:
require(tto.count + tfrom.count <= 65535, "Too large count");But it can also overflow.
Example:
// tto.count += tfrom.count;
tto.count = 30000 + 35550; // this equals 14It is real case because 65535 Steam Engines (transport type #2) cost about $ 180,000. Or if someone today buys Steam Engines for $ 25,000, he will receive such a quantity of transport in about a year without additional investments.
Use condition require(tto.count + tfrom.count > tto.count, "Too large count");
When calculating the cost may overflow if some parameters(like tt.price or maximum value of _count) in the code will be updated.
This should be taken into account, for example, when updating the transport parameters.
In fact, when using remove() or removeWithLength() functions the elements of the transport array is not deleted from the storage. Just changing the variable length of m.units structure. This means that if we directly call to the element m.units.items[i] with the index of the removed item, we will be able to get the removed transport data, or change them.
In the code of the contract, there was not found the possibility of direct access by index, but it's better to clear data from storage.
There are some vulnerabilities were found that should be fixed.