No ability to remove shop partner in the KittyConnect
Summary
The KittyConnect contract enables the addition of multiple shop partners. However, it lacks functionality to remove shop partners. Consequently, if a business decides not to collaborate with a specific shop, there is no mechanism to remove it, allowing the said shop to continue minting tokens for its users.
Vulnerability Details
The absence of a function to remove shop partners within the KittyConnect contract constitutes a vulnerability. Without the ability to revoke access, unwanted shop partners retain the capability to mint tokens, compromising the integrity of the system.
Impact
The inability to remove shop partners poses a significant operational risk. If a business no longer wishes to engage with a particular shop, it has no recourse to prevent the shop from minting tokens, potentially leading to unauthorized token issuance and misuse.
Tools Used
Manual review, code analysis.
Recommendations
Implementing a blacklist functionality within the KittyConnect contract would be advisable. This feature would enable the addition of unwanted shop partners to a blacklist, effectively revoking their ability to mint tokens. By incorporating this blacklist mechanism, businesses gain enhanced control over their partnerships, thereby mitigating the risks associated with unauthorized token issuance.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.