Submission Details
Severity:
Absence of check allows to modify token count in `MartenitsaToken`
Summary
Absence of check allows to modify token count in MartenitsaToken
Vulnerability Details
The function MartenitsaToken::updateCountMartenitsaTokensOwner updates the amount of tokens an user has:
function updateCountMartenitsaTokensOwner(
address owner,
string memory operation
) external {
//Q el encodepacked perjudica?
if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("add"))
) {
countMartenitsaTokensOwner[owner] += 1;
} else if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("sub"))
) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}
However, because the function is external and has no checks for ownership, anyone could modify the count of tokens of other person or itself.
Impact
Allows to grief and modify the token count for the attacker´s benefit
Tools Used
Foundry, Manual review
PoC:
function testUpdateCountAttack() public createMartenitsa {
vm.prank(jack);
martenitsaToken.updateCountMartenitsaTokensOwner(chasy, "add");
assert(martenitsaToken.getCountMartenitsaTokensOwner(chasy) == 2);
}
Recommendations
Add a line that checks if the address that sends the call is allowed to modify the token count
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.