Producer can buy his own `MartenitsaToken` as a user at a low price to obtain large amounts of `HealthTokens`
Summary
Producer can buy his own MartenitsaToken as a user at a low price to obtain large amounts of HealthTokens
Vulnerability Details
In MartenitsaMarketplace::listMartenitsaForSale function, a producer can list his MartenitsaToken at any price greater than 0 even if the price is 1 wei.
This allows the producer to buy his own MartenitsaTokens by using another of his own address and posing as a user. Also, producer can gain as many MartenitsaTokens as as a user possible as there is no limit to create new MartenitsaTokens.
As a user, the malicious producer can enter collectReward function to gain large amounts of HealthTokens.
Impact
MartenitsaMarketplace contract will lose it's meaning as producers will only want to create their MartenitsaToken and sell them at a very low cost and then in turn buying them. There will be no market for users to buy MartenitsaTokens. Also, HealthTokens will be minted more than intended by the protocol.
Tools Used
Manual Review
Recommendations
Owner of the MartenitsaMarketplace contract should set a minimum price limit in listMartenitsaForSale function such that producers will have to pay moderate amounts of ether to buy their MartenitsaTokens, therefore, discouraging them to act maliciously.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.