s_ownerToCatsTokenId calculation could be incorrect if safeTransferFrom is used
Summary
s_ownerToCatsTokenId is a variable which maintains total number of cats owned by each User.
Consider a scenario where User A, User B has 10 NFTs each. When User A transfers 5 NFTs to User B then
s_ownerToCatsTokenId of User B is 15 NFTs
s_ownerToCatsTokenId of User A is 10 NFTs (Note: Ideally User A value should be reduced to 5)
Vulnerability Details
safeTransferFrom() calls _updateOwnershipInfo() which will update s_ownerToCatsTokenId variable. Here is push() is used on new Owner but pop() is not used on currCatOwner due to which it leads to incorrect calculation of s_ownerToCatsTokenId variable. I have kept this issue as Low as i dont know how it can be exploited.
Impact
It leads to confusion for users who uses KittyConnect.getCatsTokenIdOwnedBy() function as it will give incorrect count.
Tools Used
Visual Studio Code
Recommendations
s_ownerToCatsTokenId[currCatOwner].pop() inside function KittyConnect._updateOwnershipInfo() at the end.
Lead Judging Commences
Improper token ownership update in `_updateOwnershipInfo`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.