Anexim/Mana-Loop
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[High] [Bug] spendRawMana/spendElementMana accept negative amounts — unlimited mana exploit #358

New Issue
Closed
opened 2026-06-10 19:25:49 +02:00 by Anexim · 2 comments
Anexim commented 2026-06-10 19:25:49 +02:00
Owner
Copy Link
Copy Source

Severity: High
File: src/lib/game/stores/manaStore.ts (lines 76-80, 116-122)

Description:
spendRawMana checks if (state.rawMana < amount) return false and then does state.rawMana - amount. If amount is negative, the check passes (since rawMana >= 0 > amount) and subtracting a negative adds mana with no cap — no maxMana check.

Similarly, spendElementMana checks if (elem.current < amount) — if amount is negative, this check always passes, and elem.current - amount adds mana to the element with no cap.

Impact: Exploit — passing a negative spend amount would add unlimited raw mana or element mana. If any UI or code path allows negative values (e.g., through crafted input, debug tools, or save editing), players can generate infinite mana.

Fix needed: Add validation that amount >= 0 at the start of both functions, throwing an error or returning false for negative values.

**Severity:** High **File:** `src/lib/game/stores/manaStore.ts` (lines 76-80, 116-122) **Description:** `spendRawMana` checks `if (state.rawMana < amount) return false` and then does `state.rawMana - amount`. If `amount` is negative, the check passes (since `rawMana >= 0 > amount`) and subtracting a negative **adds** mana with no cap — no `maxMana` check. Similarly, `spendElementMana` checks `if (elem.current < amount)` — if `amount` is negative, this check always passes, and `elem.current - amount` adds mana to the element with no cap. **Impact:** Exploit — passing a negative spend amount would add unlimited raw mana or element mana. If any UI or code path allows negative values (e.g., through crafted input, debug tools, or save editing), players can generate infinite mana. **Fix needed:** Add validation that `amount >= 0` at the start of both functions, throwing an error or returning false for negative values.
Anexim added the ai:todo label 2026-06-10 19:25:49 +02:00
n8n-gitea was assigned by Anexim 2026-06-10 19:25:49 +02:00
Anexim added ai:in-progress and removed ai:todo labels 2026-06-10 21:47:06 +02:00
Anexim commented 2026-06-10 21:47:06 +02:00
Author
Owner
Copy Link
Copy Source

Starting work on fixing the spendRawMana/spendElementMana negative amount exploit. Will add validation to reject negative amounts.

Starting work on fixing the spendRawMana/spendElementMana negative amount exploit. Will add validation to reject negative amounts.
Anexim added ai:done and removed ai:in-progress labels 2026-06-10 21:48:57 +02:00
Anexim commented 2026-06-10 21:48:57 +02:00
Author
Owner
Copy Link
Copy Source

Fixed. Added negative amount validation to spendRawMana, spendElementMana, addRawMana, addElementMana, and unlockElement in manaStore.ts. All 1157 tests pass.

Fixed. Added negative amount validation to spendRawMana, spendElementMana, addRawMana, addElementMana, and unlockElement in manaStore.ts. All 1157 tests pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
ai:blocked
ai:done
ai:in-progress
ai:priority:high
priority
 ai:review
ai:todo
No Label ai:done
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
n8n-gitea zhipu Anexim
No Assignees n8n-gitea
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Anexim/Mana-Loop#358
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?