Producer can gift his `MartenitsaToken` to himself as a user to obtain large amounts of `HealthTokens`
Summary
Producer can gift his MartenitsaToken to himself as a user to obtain large amounts of HealthTokens.
Vulnerability Details
In MartenitsaMarketplace::makePresent function, there is no check which restricts the access for producers. This allows producers to gift his own MartenitsaToken to himself by using another of his own address and posing as a user. Also, producer can gain as many MartenitsaTokens as as a user possible as there is no limit to create new MartenitsaTokens.
As a user, the malicious producer can enter makePresent function to gain large amounts of HealthTokens.
Impact
MartenitsaMarketplace contract will lose it's meaning as producers will only want to create their MartenitsaToken and gift them to themselves rather than selling their MartenitsaTokens. There will be no market for users to buy MartenitsaTokens. Also, HealthTokens will be minted more than intended by the protocol.
Tools Used
Manual Review
Recommendations
Add the require statement in the makePresent function such that only users can use this function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.