Submission Details
Severity:
Centralization Risk
Summary
The contract owner can change treat costs at any time, potentially disrupting user transactions.
Vulnerability Details
Location: src/TrickOrTreat.sol:setTreatCost()
Proof of Concept:
function testCentralizationRisk() public {
// Initial setup
(, uint256 initialCost,) = spookySwap.treatList("Candy");
// User1 prepares to buy a treat
vm.deal(user1, initialCost);
// Owner suddenly changes the price
uint256 newCost = initialCost * 2;
vm.prank(owner);
spookySwap.setTreatCost("Candy", newCost);
// User1 attempts to buy with the initial cost
vm.prank(user1);
vm.expectRevert("Insufficient ETH sent for treat");
spookySwap.trickOrTreat{value: initialCost}("Candy");
// Verify the cost has changed
(, uint256 updatedCost,) = spookySwap.treatList("Candy");
assertEq(updatedCost, newCost, "Treat cost should have been updated");
// Verify user1 couldn't buy at the old price
assertEq(spookySwap.balanceOf(user1), 0, "User1 should not have received an NFT");
}
Impact
This could lead to market manipulation, violation of user trust, and potential insider trading. It may cause users to abandon the platform if abused.
Tools Used
Forge
Recommendations
Implement a time-lock mechanism for price changes or limit the frequency of changes.
Updates
Appeal created
bube 9 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[invalid] Change cost between the call of trickOrTreat and resolveTrick
Only the owner has the rights to change the cost of the treat. Therefore it is assumed that the owner will not change the cost of the pending NFTs. The owner role is trusted.
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.