SystemConfig::updateMarketPlaceStatus() can be called on market that does not exist
Summary
SystemConfig::updateMarketPlaceStatus() updates the market place status for a given market place name. The currently implementation does not check if the market exists, before marking the MarketPlaceStatus. As a result, new marketPlace can be created by this function, which should not be allowed.
Vulnerability Details
marketPlaceInfoMap is a mapping, hence when the MarketPlaceInfo is read from the mapping, it will return an object with default values incase the object for the key did not exist.
So, for MarketPlaceInfo, all the values for the fields will defaults. But, it is possible to set MarketPlaceStatus as online which bring vulnerability.
This should not be allowed.
Impact
A new MarketPlace can be created using the update function.
Tools Used
Manual review
Recommendations
To prevent a new MarketPlace being created in updateMarketPlaceStatus(...), revise the function as below. This will ensure that updateMarketPlaceStatus(...)is operating only on already created market places.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.