First Flight #13: Baba Marta

Summary

In the updateCountMartenitsaTokensOwner function within the MartenitsaToken contract, there's a vulnerability where an attacker can input any address and falsely claim ownership. This allows them to execute operations such as addition and subtraction, effectively altering the token count associated with that address.

Vulnerability Details

The updateCountMartenitsaTokensOwner function in the MartenitsaToken contract doesn't enforce the protocol's requirement that owning 3 MartenitsaTokens qualifies a user for a healthToken. Since this function is declared as external, it's accessible to anyone, allowing attackers to manipulate its parameters, particularly the owner address.
Exploiting this vulnerability, attackers have two avenues:

Token Count Manipulation: Attackers can utilize the add operation to inflate their token count, meeting the threshold for receiving a healthToken. Conversely, they can use sub to decrement the token counts of other users, preventing them from qualifying for rewards in the MartenitsaMarketplace::collectReward() function.

Ownership Forgery: By falsely claiming ownership of other users' token counts, attackers gain unauthorized control over token balances, distorting the fairness and integrity of the reward system.

These exploitative actions violate the protocol's core principle, where ownership of 3 MartenitsaTokens warrants a healthToken. Consequently, the protocol's reliability and equity are jeopardized, exposing it to substantial exploitation risks.

1. By using add operation attacker can increase the number of tokens to as much he pleases thus making himself eligible for collecting rewards.

2. By using sub operation where Attacker can decrease the number of tokens of other users. Thus robbing them from receiving their rewards or healthToken.

Impact

Likelihood: High

Impact: High

Tools Used

Manual review

Recommendations

Making function updateCountMartenitsaTokensOwner() internal.