First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unauthorized Reward Claiming by Producers via Token Transfers

pelz

Summary

The collectReward function in the MartenitsaMarketplace.sol contract has a vulnerability where producers can bypass the eligibility check and claim rewards by transferring their already created tokens to another address they control. This circumvention undermines the intended restriction on producers claiming rewards and poses a risk to the fairness of the reward distribution system.

Vulnerability Details

The vulnerability arises from the inadequate enforcement of eligibility criteria in the collectReward function. While the function includes a check to ensure that producers are not eligible for rewards, this check can be bypassed by producers transferring their tokens to other addresses they control. By transferring tokens to eligible addresses, producers can effectively circumvent the eligibility check and claim rewards improperly.

Proof of Concept (POC):

// Producer is eligible for reward after creating 3 martenitsas

vm.startPrank(chasy);

martenitsaToken.createMartenitsa("bracelet");

martenitsaToken.approve(address(marketplace), 0);

martenitsaToken.approve(address(marketplace), 1);

martenitsaToken.approve(address(marketplace), 2);

marketplace.makePresent(bob, 0);

marketplace.makePresent(bob, 1);

marketplace.makePresent(bob, 2);

vm.stopPrank();

vm.startPrank(bob);

// Collect reward

marketplace.collectReward();

// Transfer reward back to chasy (producer)

healthToken.transfer(chasy, 10 ** 18);

vm.stopPrank();

assert(healthToken.balanceOf(chasy) == 10 ** 18);

The provided POC demonstrates how a producer (chasy) can create three Martenitsas and transfer them to another address (bob). Subsequently, bob can collect the rewards and transfer them back to chasy, effectively bypassing the restriction on producers claiming rewards.

Impact

This vulnerability undermines the fairness and integrity of the reward distribution system in the marketplace. Producers can exploit this loophole to claim rewards improperly, potentially leading to unfair advantages and distortions in the distribution of rewards. Additionally, it may erode user trust in the platform and diminish the perceived value of rewards.

Tools Used

manual code review.

Recommendations

To mitigate this vulnerability, consider implementing stricter controls to prevent producers from transferring their tokens to other addresses for the purpose of claiming rewards. Additionally, review the reward distribution mechanism to ensure that rewards are distributed fairly and in accordance with the intended criteria.

One potential fix could be to restrict producers from making presents altogether, allowing only those who purchase NFTs to be eligible for rewards. This would help prevent producers from exploiting the reward system by transferring tokens to other addresses they control. However, it's important to consider the impact of such restrictions on the overall functionality and user experience of the marketplace.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Multiple addresses

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.