Cost of Treat Can be manipulated by Owner leading users paying more than they should've
Summary
Cost or rate of treat can be changed before users complete payment for a treat.
Vulnerability Details
User interacts with the function trickOrTreat().
The are unlucky and get double the price.
Eth they sent along was not enough for payment, therefore their treat is added to pending treat.
Owner can Take advantage of that and call function setTreatCost(), changing the cost of the treat increasing the cost.
When users come back to complete their payment, they'll have to pay more than the ought to.
Impact
Loss of user's funds, due to paying more than they should.
Tools Used
Manual Code Review
Recommendations
Owners should not be able to change cost of treat if there's a pending treat or there should be a mapping that tracks cost of pending treat as at when the transaction occurred
Appeal created
[invalid] Change cost between the call of trickOrTreat and resolveTrick
Only the owner has the rights to change the cost of the treat. Therefore it is assumed that the owner will not change the cost of the pending NFTs. The owner role is trusted.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.