Beginner FriendlyFoundryGameFi
100 EXP
View results
Submission Details
Severity: high
Valid

[H-1] Martenisa tokens count can be manipulated because the `updateCountMartenitsaTokensOwner` function does not check the actual balance of the owner address before updating the state.

[H-1] Martenisa tokens count can be manipulated by any user because the MartenitsaToken::updateCountMartenitsaTokensOwner function does not check the actual balance of the owner address before updating the state.

Description: The updateCountMartenitsaTokensOwner function is supposed to keep track of the count of martenitsaTokens for a specific address. However, any user can call this function and pass in their own address or another user's address and update their balances.

Impact: A user can artificially inflate their balance to infinity, and mint an indefinite amount of HealthToken by calling the MartenitsaMarketplace::collectReward function or they can reduce the number of tokens of other users to 0.

Proof of Concepts: I updated the MartenitsaToken::testUpdateCounttest inside MartenisaToken.t.sol. The test shows that bob can change chasy's balance however he wants.

Proof of Code
function testUpdateCount() public createMartenitsa {
vm.prank(chasy);
martenitsaToken.updateCountMartenitsaTokensOwner(chasy, "add");
assert(martenitsaToken.getCountMartenitsaTokensOwner(chasy) == 2);
vm.prank(bob);
martenitsaToken.updateCountMartenitsaTokensOwner(chasy, "add");
assert(martenitsaToken.getCountMartenitsaTokensOwner(chasy) == 3);
vm.prank(bob);
martenitsaToken.updateCountMartenitsaTokensOwner(chasy, "sub");
assert(martenitsaToken.getCountMartenitsaTokensOwner(chasy) == 2);
}

Recommended mitigation: Implement a balance check inside the MartenitsaToken::updateCountMartenitsaTokensOwner function in order to validate that the owner indeed has more or fewer tokens before updating the state. Maybe it is also worth considering adding access control.

Tools used: Manual review

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.