MartenitsaToken::updateCountMartenitsaTokensOwner
function does not check the actual balance of the owner address before updating the state.Description: The updateCountMartenitsaTokensOwner
function is supposed to keep track of the count of martenitsaTokens
for a specific address. However, any user can call this function and pass in their own address or another user's address and update their balances.
Impact: A user can artificially inflate their balance to infinity, and mint an indefinite amount of HealthToken
by calling the MartenitsaMarketplace::collectReward
function or they can reduce the number of tokens of other users to 0.
Proof of Concepts: I updated the MartenitsaToken::testUpdateCount
test inside MartenisaToken.t.sol
. The test shows that bob
can change chasy's
balance however he wants.
Recommended mitigation: Implement a balance check inside the MartenitsaToken::updateCountMartenitsaTokensOwner
function in order to validate that the owner
indeed has more or fewer tokens before updating the state. Maybe it is also worth considering adding access control.
Tools used: Manual review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.