First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can update the count of `martenitsaTokens`

0xE79e

Summary

Anyone can call MartenitsaToken::updateCountMartenitsaTokensOwner function and update the count of martenistsaToken, which affect the collection of healthToken.

Vulnerability Details

MartenitsaToken::updateCountMartenitsaTokensOwner function allows anyone to update martenistsaToken count, so users can add count of martenitsaToken to them self or substract the count of other users. With more martenitsaToken users can collect infinite healthToken by calling MartenitsaMarketplace::collectReward function.

Impact

Users can increase their own martenitsaToken balance to collect larger rewards.
Users can decrease others' martenitsaToken balances to prevent them from collecting rewards.

Tools Used

Manual Review

Recommendations

Implement internal visibility for MartenitsaToken::updateCountMartenitsaTokensOwner function.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Missing access control

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!