First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Seller selling MartenitsaToken in `MartenitsaMarketplace` not approving their token will make a DoS to users buying their token and get voting advantage

shikhar229169

Summary

MartenitsaMarketplace::listMartenitsaForSale allows producers to list their MartenitsaToken for sale in the MartenitsaMarketplace contract, but it doesn't lock the NFT by transferring it from the seller to the marketplace contract as a result of which seller can transfer it to other address, deosn't allow other users to buy the NFT and thus a DoS for users buying that seller's MartentisaToken, and along with that seller can take the advantage of Voting in the MartenitsaVoting contract as it allows voting for only those tokens which are listed in the marketplace and will not allow user to vote once the token is sold. But by not approving it to the MartenitsaMarketplace contract the sellers are eligible to receive votes for the whole duration as there token will never be bought and always be listed.

Vulnerability Details

The vulnerability is present in the MartenitsaMarketplace contract where seller listing their martenitsa token are not forced to lock their token in the contract and are required to keep their tokens approved to the marketplace contract in order to facilitate the sale when one buys the token.

But sellers not approving their token or revoking their approvals before the sale will prevent users from buying their token.

It is required that the seller should have approved their token before one can buy their token, but if they have not performed any approvals to the marketplace contract then no one can buy it and the listing will always be there in the marketplace contract.

Impact

DoS to the user who tries to buy that seller's MartenitsaToken who either revoked their approvals to MartenitsaMarketplace or have not even approved it yet.
The MartenitsaVoting contract allows voting for a token until it is listed in the marketplace, the seller not approving to marketplace will be eligible to receive votes for the whole duration of voting as no one will be able to buy their token.

Tools Used

Manual Review

Recommendations

Lock the MartenitsaToken inside MartenitsaMarketplace when the seller list it for sale by transferring it to the marketplace contract.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of approval

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.