First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

`cancelListing` function is not present in `MartenitsaMarketplace.sol` by which `producer` not able to cancel the listing of the `Martenitsa`.

naman1729

Summary

Producer is not able to cancel the listing of the Martenitsa from the marketplace.

Vulnerability Details

In the documentation of the MartenitsaMarketplace.sol contract, there is mention of the cancelListing function but the function is not present in the contract.
The cancelListing function is required to be present in the contract so that the producer can cancel the listing of the Martenitsa from the marketplace.

## MartenitsaMarketplace.sol

This contract provides a marketplace where users can buy and sell martenitsa tokens, with additional functionality for making presents, collecting rewards and managing listings. All users can participate in buying and collecting rewards, but only producers can list their tokens for sale and then sell them.

- `listMartenitsaForSale`: Allows registered producers to list a martenitsa token for sale with a specified price.

- `buyMartenitsa`: Allows users to buy a listed martenitsa token and transfer funds to the seller.

- `makePresent`: Allows users to make a present of a martenitsa token they own to someone else.

- `collectReward`: Allows users to collect `HealthTokens` as a reward based on the number of `MartenitsaTokens` they own. For every 3 different `MartenitsaTokens` you receive 1 `HealthToken`.

@> - `cancelListing`: Allows sellers to cancel the listing for sale of a martenitsa token.

- `getListing`: Retrieves the characteristics of a martenitsa token listed for sale.

POC (Testing the `cancelListing` function)

After Adding the cancelListing function in the MartenitsaMarketplace.sol contract, the producer will be able to cancel the listing of the Martenitsa from the marketplace.
we can test the cancelListing function by adding the following code in the MartenitsaMarketplace.t.sol contract.

function testCancelListing() public listMartenitsa {

vm.prank(chasy);

marketplace.cancelListing(0);

// After canceling the listing, the producer should not be able to get the listing of the Martenitsa.

vm.expectRevert("Token is not listed for sale");

list = marketplace.getListing(0);

(,,,,bool forSale) = marketplace.tokenIdToListing(0);

assert(forSale == false);

}

Run the test by this command.

forge test --mt testCancelListing -vvvv

Impact

producer is not able to cancel the listing of the Martenitsa from the marketplace.

Tools Used

Manual review

Recommendations

update the MartenitsaMarketplace.sol contract with the following code.

+ event MartenitsaCanceled(uint256 indexed tokenId);

+ function cancelListing(uint256 tokenId) external {

+ require(msg.sender == martenitsaToken.ownerOf(tokenId), "You do not own this token");

+ require(martenitsaToken.isProducer(msg.sender), "You are not a producer!");

+ delete tokenIdToListing[tokenId];

+ emit MartenitsaCanceled(tokenId);

+ }

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.