First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anybody can call updateCountMartenitsaTokensOwner function and alter token count

oldmonk

Summary

function:updateCountMartenitsaTokensOwner in MartenitsaToken.sol

  1. can be called by any user and alter count of MartenitsaTokens of any user,

  2. Can be used to increase/decrease token count to any number.

  3. This can influence the number of Health Tokens given to a user, as it primarily depends on number of Martenitsa tokens held by them.

Vulnerability Details

The function updates Token count of input argument "owner" irrespective of who msg.sender is. It is possible for userA to call this function with userB's address as input and alter B's token count.It is also possible for userA to increase/decrease their count of tokens to any number.

function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}

Impact: High

Tools Used: Manual review

Recommendations

  1. Should implement checks before altering countMartenitsaTokensOwner mapping. for ex: use msg.sender instead of owner if it fits the protocol functionality.

  2. It should not be external function, or have sufficient access control modifiers.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.