First Flight #13: Baba Marta

Summary

After the event starts any user with the required health tokens can join event to become a producer to create MartenitsaTokens and list them but with No restrain on MartenitsaMarketplace::collectReward and MartenitsaMarketplace::makePresent functions during this time any malicious user can make unlimited number of his alternate address joint the event to become producer and list unlimited MartenitsaTokens, steal unlimited healthtokens and MartenitsaTokens all with 1 health token

Impact

With just 1 health token a Malicious user can potentially make multiple aliases who can steal unlimited healthtokens and MartenistaTokens and list unlimited MatartenitsaTokens.

Proof of Concept

Steps in which a Malicious user can exploit the issue:

1. Malicious user initially buys 3 martenitsas using MartenitsaMarketplace::buyMartenitsa function

2. He then user MartenitsaMarketplace::collectReward to claim 1 healthtoken

3. When the event starts he calls MartenitsaEvent::joinEvent to join the event and become a producer

4. Now he creates multiple aliases (wallets or smartcontracts).

5. he can now create unlimited martenitsas using MartenitsaToken::createMartenitsa.

6. since MartenitsaMarketplace::collectReward and MartenitsaMarketplace::makePresent are unrestrained during the event he can makePresent the collected martenitsas to his aliases and make them call MartenitsaMarketplace::collectReward

7. Now all these aliases can join the event since they all have 1 health token to become producers

8. Now they can list unlimited martenisas

Recommendations

The issue can be mitigated by restraining the MartenitsaMarketplace::collectReward and MartenitsaMarketplace::makePresent functions during the event which can be accomplished by using OpenzeppelinsPausable contract module