Missing addTreat function parameters validation
Summary
The contract permits the addition of treats with arbitrary names without ensuring that each treat name is unique. This lack of validation allows the contract owner to add multiple treats sharing the same name, leading to potential inconsistencies and unintended behaviors within the contract's state management and user interactions.
Vulnerability Details
The addTreat function is responsible for introducing new treats into the SpookySwap ecosystem. It accepts a treat name (_name), its cost (_rate), and a metadata URI (_metadataURI). This line assigns a new Treat struct to the provided _name key in the treatList mapping. If a treat with the same name already exists, this operation will overwrite the existing entry without any warnings or restrictions.
Impact
Subsequent additions of treats with the same name overwrite previous entries in the treatList mapping. This can unintentionally alter the cost or metadata of existing treats, leading to inconsistent pricing and metadata representation. Users may encounter multiple treats with identical names but different costs or metadata, making it unclear which treat they are interacting with or purchasing.
Tools Used
Manual review
Recommendations
Modify the addTreat function to verify that a treat with the provided name does not already exist before adding it. This prevents accidental or intentional duplication.
Appeal created
[invalid] Duplicate treats
The function `addTreat` is called by the owner. The owner is trusted. There will be no duplicates.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.