Lack of proper reward calculation in `MartenitsaMarketplace::collectReward` function can lead to denying rewards for user that transfers tokens and acquires new tokens.
Summary
Reward calculation is faulty in MartenitsaMarketplace::collectReward function because it is not considering that user can transfer tokens and acquire new ones.
Vulnerability Details
Natspec function comment says: "The user can get for every 3 different MartenitsaTokens 1 HealthToken". Which means user should be able to claim 1 health token for every 3 different Martenitsa tokens.
User has 3 Martenitsa token, and is eligible for reward.
User collects reward by calling
MartenitsaMarketplace::collectRewardfunction.User transfer those 3 tokens to another address.
User acquires 3 completely different tokens (different token id).
User is not eligible for rewards when calling
MartenitsaMarketplace::collectRewardfunction.
Impact
User can be denied rewards that it has rights to because of faulty logic.
Tools Used
Manual review
Recommendations
Make reward collection logic so that is not dependent of how many tokens user has, but of how many token ids it has that were not claimed yet.
Lead Judging Commences
Incorrect logic in collectReward
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.