Summary

The addTreat function in the SpookySwap contract allows the contract owner to add new treats by specifying a name, cost, and metadata URI. However, there is currently no check in place to prevent adding a treat with an existing name

Vulnerability Details

The addTreat function allows treats to be added to the treatList mapping using a unique name as the key. However, since there’s no validation to check if a treat with the same name already exists, an owner could overwrite an existing treat by adding a new treat with an identical name.

Overwriting Treats: If the owner calls addTreat with an existing treat name, it overwrites the treat data in treatList for that name, including cost and metadata, without any warning or restriction.

Impact

• Unintentional Data Loss: Previous treat data, including the original cost and metadata, is lost when overwritten.

• User Confusion: Users may see different properties (cost, metadata) for treats with the same name, undermining trust and clarity in treat availability.

Tools Used

Manual Review

Recommendations

Check for Existing Treats:

• Before adding a treat, verify that the treat name does not already exist in treatList. If it exists, revert the transaction with an error message.