First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

MartenitsaEvent::_addProducer not updating correct storage variables

josh4324

Summary

The MartenitsaEvent contract extends the MartenitsaToken contract, enabling the MartenitsaEvent contract to possess its own producers array and isProducer mapping. Consequently, it operates independently of the storage variables within the deployed MartenitsaToken contract, where all producers are typically stored and mapped. As a result the _addProducer is updating the wrong producers array and isProducer mapping.

Vulnerability Details

The MartenitsaEvent contract extends the MartenitsaToken contract, inheriting its storage variables and functions, as a result the MartenitsaEvent contract has its own producers array and isProducer mapping, which are separate from the ones in the MartenitsaToken contract.

When the _addProducer function is called within the MartenitsaEvent contract, it updates the producers array and isProducer mapping specific to the MartenitsaEvent contract, rather than the ones in the deployed MartenitsaToken contract. This means that the producers added through the MartenitsaEvent contract are not reflected in the main MartenitsaToken contract's storage.

function _addProducer(address _producer) internal {

isProducer[_producer] = true;

producers.push(_producer);

Impact

Inconsistent Producer Data: The producers added through the MartenitsaEvent contract are stored separately from the main MartenitsaToken contract. This leads to inconsistencies in the producer data between the two contracts, as the MartenitsaToken contract's producers array and isProducer mapping are not updated.
Incorrect Access Control: If the MartenitsaEvent contract relies on the isProducer mapping for access control or permissions, it may grant incorrect access to users who are not actually recognized as producers in the main MartenitsaToken contract.

POC

The code below shows that bob is a producer in martenitsaEvent contract but bob is not a producer in the martenitsaToken contract

function testJoinEvent() public activeEvent eligibleForReward {

vm.startPrank(bob);

marketplace.collectReward();

healthToken.approve(address(martenitsaEvent), 10 ** 18);

martenitsaEvent.joinEvent();

vm.stopPrank();

assert(martenitsaEvent.isProducer(bob) == true);

assert(martenitsaToken.isProducer(bob) == false);

}

Tools Used

Manual Review

Recommendations

The MartenitsaEvent contract should be given access to call the setProducers function and the setProducerscan be called instead of the_addProducer` function.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

MartenitsaToken and MartenitsaEvent have different addresses

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.