When a user wants to buy a Maritenitsa, the function martenitsaToken::updateCountMartenitsaTokensOwner
can be called multiple times before it is deleted delete tokenIdToListing[tokenId];
. Since the updateCountMartenitsaTokensOwner
function is called before deleting the token from the listing. This creates a vulnerability where an attacker could potentially manipulate the token count multiple times before the state is updated correctly, leading to inaccurate counts of Martenitsa tokens owned by buyers and sellers.
Bob wants to get more Martenitsa token
But Bob can't wait for the producers
Bob create a contract to attack the buyMartenitsa
function and quickly call the updateCountMartenitsaTokensOwner
many times to get more token
Use it for healthToken
If an attacker can add multiple token to his address, he can get more healthToken and possibly leading to draining the contract
Bob ends with 6 tokens instead of 1.
slither, manual review
To mitigate this vulnerability, it's important to ensure that state modifications are done in the correct order, especially when interacting with external contracts. In this case, it would be safer to delete the tokenId
from the tokenIdToListing
mapping before making the external call to update the token counts.
Here's how you could adjust the order of operations:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.