User/producer can transfer their MT without updating their `countMartenitsaTokensOwner` variable which leads to gaining more HT
Summary
User/producer can transfer their MartenitsaToken without updating their countMartenitsaTokensOwner variable which leads to gaining more HealthTokens
Vulnerability Details
As MartenitsaToken has ERC721 token standard, any user can transfer their tokens using transferFrom or safeTransferFrom functions. Malicious Users/producers can use these functions to transfer their MartenitsaTokens to their new addresses. As countMartenitsaTokensOwner variable in not updated when using these functions, malicious actors can use this to gain more HealthTokens than intended by accessing collectReward function.
Impact
MartenitsaMarketplace contract will lose it's meaning as producers will only want to create their MartenitsaTokens and transfer them to their new addresses. There will be no market for users to buy MartenitsaTokens. Also, HealthTokens will be minted more than intended by the protocol.
Tools Used
Manual Review
Recommendations
There are 2 ways to resolve this:
Add
MartenitsaToken::updateCountMartenitsaTokensOwnerfunction intransferFrom,safeTransferFromfunctions such that even if any malicious actor uses these functions, theircountMartenitsaTokensOwnervariable is also updated.Add revert statement in
transferFrom,safeTransferFromfunctions such that every time these functions are called, they will be reverted. Thus, making transfer of tokens impossible for any user be it malicious or not.
Lead Judging Commences
ERC721 `transferFrom` not overriden
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.