First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Attacker can mint unlimited healthToken due to lack of access control on MartenitsaToken::updateCountMartenitsaTokensOwner

josh4324

Summary

The MartenitsaToken contract contains a critical vulnerability that allows an attacker to mint an unlimited amount of health tokens. This is due to the lack of proper access control on the updateCountMartenitsaTokensOwner function.

Vulnerability Details

The updateCountMartenitsaTokensOwner function in the MartenitsaToken contract is responsible for updating the count of health tokens owned by an address. However, the function lacks any access control mechanism and it is an external function, allowing any user to call it and update the token count for any arbitrary address.
Here's the vulnerable code:

function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {

if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {

countMartenitsaTokensOwner[owner] += 1;

} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {

countMartenitsaTokensOwner[owner] -= 1;

} else {

revert("Wrong operation");

}

Impact

The vulnerability has a severe impact on the integrity and security of the MartenitsaToken contract. An attacker can exploit this vulnerability to:

Mint an unlimited amount of health tokens for themselves or any other address.
Manipulate the token balances of any user, potentially leading to unauthorized access to features or benefits associated with the token.
Disrupt the token economy by inflating the token supply and devaluing the tokens held by legitimate users.
Gain unfair advantages within the system that utilizes the MartenitsaToken.

POC

Attacker calls the martenitsaToken::updateCountMartenitsaTokensOwner(attacker, "add") several times;
Attacker calls the MartenitsaMarketplace::collectReward();
Attacker gets healthTokens.

function testCollectReward() public eligibleForReward {

vm.startPrank(attacker);

for (uint256 i = 0; i < 300; i++) {

martenitsaToken.updateCountMartenitsaTokensOwner(attacker, "add");

}

marketplace.collectReward();

vm.stopPrank();

assert(healthToken.balanceOf(attacker) == 100 * 10 ** 18);

}

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, it is crucial to implement proper access control on the updateCountMartenitsaTokensOwner function. The following recommendations should be considered:

Restrict access to the function by implementing an access control mechanism, the contracts that will use it should have access.
Validate the contracts that use the function to ensure that they are authorized to access the function.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Missing access control

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.