In MartenitsaToken, function updateCountMartenitsaTokensOwner() aims to record every address's martenitsa tokens' amount. However, everyone can call this function to update any specific address's amount.
function testUpdateAccountAccessControl() public {
address alice = makeAddr("Alice");
address cathy = makeAddr("Cathy");
console.log("Alice Token Amount: ", martenitsaToken.getCountMartenitsaTokensOwner(alice));
console.log("Cathy Token Amount: ", martenitsaToken.getCountMartenitsaTokensOwner(cathy));
vm.startPrank(alice);
martenitsaToken.updateCountMartenitsaTokensOwner(cathy, "add");
console.log("Cathy Token Amount after Alice update: ", martenitsaToken.getCountMartenitsaTokensOwner(cathy));
}
Accounting for Martenitsa token's amount become a mess. Users can change the count to collect more rewards.
Suggest to add one modifier in updateCountMartenitsaTokensOwner. Only marketplace is allowed to call this function.
@@ -7,6 +7,7 @@ import "@openzeppelin/contracts/access/Ownable.sol";
contract MartenitsaToken is ERC721, Ownable {
uint256 private _nextTokenId;
+ address public marketplace;
address[] public producers;
mapping(address => uint256) public countMartenitsaTokensOwner;
@@ -17,6 +18,14 @@ contract MartenitsaToken is ERC721, Ownable {
constructor() ERC721("MartenitsaToken", "MT") Ownable(msg.sender) {}
+ modifier onlyMarketplace {
+ require(msg.sender == marketplace);
+ _;
+ }
+
+ function setMarketplace(address marketplace) public onlyOwner {
+ marketplace = marketplace;
+ }
/**
* @notice Function to set producers.
* @param _producersList The addresses of the producers.
@@ -59,7 +68,9 @@ contract MartenitsaToken is ERC721, Ownable {
* @param owner The address of the owner.
* @param operation Operation for update: "add" for +1 and "sub" for -1.
*/
- function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
+ function updateCountMartenitsaTokensOwner(address owner, string memory operation) external onlyMarketplace{
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {