First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unlimited Health Tokens can be minted

gladiator111

Summary

Unlimited Health Tokens can be minted because anyone can manipulate the MartenitsaToken count.

Vulnerability Details

Anyone can update the count of MartenitsaToken due to lack of access specifier/modifier in the MartenitsaToken.sol::updateCountMartenitsaTokensOwner() function

function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}

Through this any user can increase their count of MartenitsaToken without actually buying the token! This in combination with the MartenitsaMarketplace.sol::collectReward() , infinte Health Tokens can be minted.

function collectReward() external {
require(!martenitsaToken.isProducer(msg.sender), "You are producer and not eligible for a reward!");
uint256 count = martenitsaToken.getCountMartenitsaTokensOwner(msg.sender);
uint256 amountRewards = (count / requiredMartenitsaTokens) - _collectedRewards[msg.sender];
if (amountRewards > 0) {
_collectedRewards[msg.sender] = amountRewards;
healthToken.distributeHealthToken(msg.sender, amountRewards);
}
}

Impact

Loss of Funds/ Severe Disruption of protocol.

Tools Used

Manual Review

Recommendations

Relevant modifiers should be used for securing the MartenitsaToken.sol::updateCountMartenitsaTokensOwner() function.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.