MartenitsaMarketplace::_collectedRewards
allows a user that holds 6 martenitsaToken
to mint an indefinite amount of HealthToken
via MartenitsaMarketplace::collectReward
function.Description: The MartenitsaMarketplace::collectReward
function is supposed to allow users to collect 1 HealthToken
for every 3 different MartenitsaTokens
that they hold. If a user gets 6 tokens, they will be able to call collectRewards
as many times as they want, and they will continue to receive HealthTokens
.
Impact: A malicious user can mint an indefinite amount of HealthTokens
.
Proof of Concepts: Paste this test inside MartenitsaMarketplace.t.sol
file.
Test output
Recommended mitigation: Increase the value of MartenitsaMarketplace::_collectedRewards
mapping after each function call instead of setting it to be = amountRewards
. Like this, the logic will also account for the past claims. Right now it is off by 1.
Tools used: Manual review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.