First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Calculation of Collected Rewards in collectReward Function

pelz

Summary

The collectReward function in the MartenitsaMarketplace.sol contract enables users to claim rewards based on their token ownership. However, a vulnerability exists in the current implementation, allowing users to potentially receive more rewards than intended by claiming them incrementally. This vulnerability stems from the incorrect handling of previously claimed rewards, leading to an inflation of rewards and imbalance in the ecosystem.

Vulnerability Details

The vulnerability arises due to the flawed calculation of rewards in the collectReward function. Users are entitled to one reward token for every three tokens they own. However, the function fails to accurately track previously claimed rewards, resulting in users potentially receiving excessive rewards when claiming them incrementally.

For example, if a user owns 12 tokens and claims rewards incrementally, they should receive 4 reward tokens in total. However, due to the oversight, they may receive 6 reward tokens instead, resulting in an unintended increase in the reward distribution.

A proof of concept demonstrating this vulnerability is available in the following gist: Proof of Concept Gist. It should be added to the MartenitsaMArketplace.t.sol file.

Impact

This vulnerability enables users to exploit the reward system, potentially leading to an inflation of rewards and disrupting the ecosystem's balance. It may result in an increased circulating supply of reward tokens, affecting their value and utility within the platform. Moreover, it undermines the fairness and integrity of the reward distribution mechanism.

Tools Used

manual code review.

Recommendations

To mitigate this vulnerability and ensure the accurate distribution of rewards, it is imperative to implement proper tracking of previously claimed rewards. Adjust the collectReward function as follows:

function collectReward() external {

require(

!martenitsaToken.isProducer(msg.sender),

"You are a producer and not eligible for a reward!"

);

uint256 count = martenitsaToken.getCountMartenitsaTokensOwner(msg.sender);

uint256 totalRewards = count / requiredMartenitsaTokens;

uint256 newRewards = totalRewards - _collectedRewards[msg.sender]; // Calculate new rewards

if (newRewards > 0) {

_collectedRewards[msg.sender] += newRewards; // Increment previously claimed rewards

healthToken.distributeHealthToken(msg.sender, newRewards); // Distribute new rewards

}

With this fix, the collectReward function accurately tracks previously claimed rewards and ensures users receive rewards based on their total token ownership. This adjustment promotes fairness and consistency in the reward distribution process.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

_collectedRewards is not updated correctly

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.