First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing functionality in `MartenitsaMarketplace` to cancel the listing of their earlier listed unbought martenitsa token.

shikhar229169

Summary

The documentation of Baba Marta protocol mentions under MartenitsaMarketplace that the producer should be able to cancel their listing of Martenitsa token but there is no such functionality present in the MartenitsaMarketplace, thus sellers will never be able to cancel their listing.

Vulnerability Details

The vulnerability is present in the MartenitsaMarketplace contract where it fails to implement a crucial functionality mentioned in the protocol docs to allow sellers to cancel their listing of their token, but unimplemented functionality will make it for the seller to never be able to cancel their listing.

Impact

Sellers will never be able to cancel their listing of Martenitsa Token which is a crucial functionality as mentioned in the docs.

Tools Used

Manual Review

Recommendations

Implement the required functionality.

diff --git a/src/MartenitsaMarketplace.sol b/src/MartenitsaMarketplace.sol

index bba0099..4226ac9 100644

--- a/src/MartenitsaMarketplace.sol

+++ b/src/MartenitsaMarketplace.sol

@@ -25,6 +25,7 @@ contract MartenitsaMarketplace is Ownable {

event MartenitsaListed(uint256 indexed tokenId, address indexed seller, uint256 indexed price);

event MartenitsaSold(uint256 indexed tokenId, address indexed buyer, uint256 indexed price);

+ event MartenitsaListingCancelled(uint256 indexed tokenId, address indexed seller);

constructor(address _healthToken, address _martenitsaToken) Ownable(msg.sender) {

healthToken = HealthToken(_healthToken);

@@ -53,6 +54,14 @@ contract MartenitsaMarketplace is Ownable {

emit MartenitsaListed(tokenId, msg.sender, price);

}

+ function cancelListing(uint256 tokenId) external {

+ require(msg.sender == tokenIdToListing[tokenId].seller, "You are not the owner of this token");

+ delete tokenIdToListing[tokenId];

+ emit MartenitsaListingCancelled(tokenId, msg.sender);

+ }

/**

* @notice Function to buy a martenitsa.

* @param tokenId The tokenId of martenitsa.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

shikhar229169 Submitter

over 1 year ago

bube Lead Judge

over 1 year ago

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.