Submission Details
Severity:
Anyone can update `countMartenitsaTokensOwner` through the `updateCountMartenitsaTokensOwner` function.
Summary
updateCountMartenitsaTokensOwner function in the MartenitsaToken.sol contract can be used by anyone to arbitrarily change the countMartenitsaTokensOwner.
Vulnerability Details
Function updateCountMartenitsaTokensOwner is external and with no requirements. See the following code.
function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}
Impact
Users can arbitrarily change the CountMartenitsaTokensOwner of any user thus changing the quantity of HealthTokens they can claim.
Tools Used
Manual review
Recommendations
Make these changes to the codebase:
function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
+ require(msg.sender == address(_martenitsaMarketplace), "Unable + to call this function");
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.