First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`MartenitsaToken` contract not marked as abstract can lead to deploying both MartenitsaEvent and `MartenitsaToken` which is incorrect.

mirkopezo

Summary

MartenitsaToken contract is not marked as abstract, which can lead to confusion and incorrect deployment of both MartenitsaToken and MartenitsaEvent contracts.

Vulnerability Details

Codebase is missing documentation and deploy scripts to clarify what contracts are planned to deploy.

Tests are also written in very specific way from which it could be understood that both MartenitsaEvent and MartenitsaToken need to be deployed separately.

Functions that are present in MartenitsaToken are never called from MartenitsaEvent instance in tests, which may be indicator that developers don't understand that MartenitsaEvent is inheriting MartenitsaToken contract.

import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
import "@openzeppelin/contracts/access/Ownable.sol";
// @audit - missing `abstract` keyword
@> contract MartenitsaToken is ERC721, Ownable {
uint256 private _nextTokenId;
import {HealthToken} from "./HealthToken.sol";
import {MartenitsaToken} from "./MartenitsaToken.sol";
contract MartenitsaEvent is MartenitsaToken {
HealthToken private _healthToken;

Impact

Deploying both MartenitsaEvent and MartenitsaToken separately would be incorrect and lead to confusion for users.

Tools Used

Manual review

Recommendations

Make MartenitsaToken contract abstract.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

MartenitsaToken and MartenitsaEvent have different addresses

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.