Skip to content

feat: Path System Array Index Out of Bounds Vulnerability #176

New issue
New issue
Open
#193
Open
feat: Path System Array Index Out of Bounds Vulnerability#176
#193
Assignees
sotoJ24
Labels
CairoSomething isn't workingenhancementNew feature or requestonlydust-waveContribute to awesome OSS repos during OnlyDust's open source week
@KevinMB0220

Description

@KevinMB0220
KevinMB0220
opened on Aug 17, 2025

📝 Title

Path System Array Index Out of Bounds Vulnerability

📋 Description

The path system in game.cairo has multiple functions that can cause contract panics due to array index out of bounds errors. The get_path_step() and advance_enemy_position() functions don't properly validate indices before accessing predefined path arrays, which can lead to DoS attacks or unexpected game crashes.

Current problematic code:

fn get_step_from_array(steps: Span<(u32, u32)>, index: u32) -> (u32, u32) {
    assert(index < steps.len(), 'Index out of bounds'); // ⚠️ PANIC ON INVALID INDEX
    *steps.at(index.into())
}

fn get_path_step(path_id: u64, index: u32) -> (u32, u32) {
    match path_id {
        0 => { /* ... */ },
        1 => { /* ... */ },
        2 => { /* ... */ },
        _ => panic!("Invalid path_id"), // ⚠️ PANIC ON INVALID PATH_ID
    }
}

Attack vectors:

  • Calling with invalid path_id values
  • Providing index values beyond path length
  • Manipulating enemy position updates with out-of-bounds indices

Files affected:

  • contract/src/systems/game.cairo (lines 127, 145, 191)

✅ Acceptance Criteria

  • Replace panic!() calls with graceful error handling that returns Option<(u32, u32)> or similar
  • Add bounds checking before array access in get_step_from_array()
  • Validate path_id exists before processing in get_path_step()
  • Update advance_enemy_position() to handle invalid paths gracefully
  • Add comprehensive test cases for all edge cases and invalid inputs
  • Ensure all callers handle the new error return types properly

💬 Additional Notes

Severity: 🟠 HIGH - Can cause immediate contract panics, making the game unplayable and potentially allowing DoS attacks by submitting invalid path parameters.

Root Cause: Functions use panic!() and assert() for input validation instead of graceful error handling, making the contract vulnerable to malicious or malformed inputs.

Impact: Attackers or bugs could crash entire game sessions, lose player progress, and make towers/enemies unusable by triggering array bounds violations.

Keep it consistent with the project's style and standards.

Metadata

Metadata

Assignees

Labels

CairoSomething isn't workingenhancementNew feature or requestonlydust-waveContribute to awesome OSS repos during OnlyDust's open source week

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions