`MartenitsaMarketplace::_collectedRewards` is not correctly updated inside `collectReward` function allowing for unlimited HealthToken mints just by holding 6 different MartenitsaTokens.
Summary
The function collectReward is intended to allow users to mint 1 HealthToken for every 3 different
MartenitsaTokens they held.
Inside it's implementation, the function fails to aggregate the number of rewards already collected by
the user. Instead it sets _collectedRewards[msg.sender] to the latest amount of rewards claimed by the user.
Vulnerability Details
By buying 6 MartenitsaTokens an attacker should be able to mint an unlimited amount of HealthTokens.
Proof of concept
Attacker buys 3 distinct tokens
Attacker calls collectReward to receive one HealthToken
Attacker buys 3 extra distinct tokens
Attacker calls collectReward to receive one additional HealthToken
Repeat 4 an unlimited number of times.
PoC
Place the following code in MartenitsaMarketplace.t.sol.
Impact
It's possible to mint an unlimited amount of HealthTokens by holding 6 distinct MartenitsaTokens.
Tools Used
Manual review
Recommended Mitigation
Lead Judging Commences
_collectedRewards is not updated correctly
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.