First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`updateCountMartenitsaTokensOwner` malicious function allows anyone to update the number of `MartenitsaToken` of anyone

0xjarix

Summary

Control Access issue in the updateCountMartenitsaTokensOwner() function allowing anyone to update the number of MartenitsaToken of anyone.

Vulnerability Details

The countMartenitsaTokensOwner[] mapping should be updated solely when a producer creates a MartenitsaToken or when a user buys a MartenitsaToken or makes a present. However, the updateCountMartenitsaTokensOwner(address owner, string memory operation) function allows anyone from outside the contract to update countMartenitsaTokensOwner[owner] as he wishes.

Impact

Anyone can collect more healthTokens than they should by increasing their countMartenitsaTokensOwner by specifying their address as the owner agrument. getCountMartenitsaTokensOwner will give a wrong return value, collectRewards() will send the attacker more healthTokens than it should.

Tools Used

Manual analysis

Recommendations

import {MartenitsaMarketplace} from "./MartenitsaMarketplace.sol";

add this line as a state variable:
MartenitsaMarketplace private _martenitsaMarketplace;

function updateCountMartenitsaTokensOwner(address owner, string memory operation) external {
-
+ require(msg.sender == address(_martenitsaMarketplace));
if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("add"))) {
countMartenitsaTokensOwner[owner] += 1;
} else if (keccak256(abi.encodePacked(operation)) == keccak256(abi.encodePacked("sub"))) {
countMartenitsaTokensOwner[owner] -= 1;
} else {
revert("Wrong operation");
}
}```
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.