Submission Details
Severity:
During event a participant becomes `Producer` and can `createMartenitsa`
Summary
Anyone with a healthtoken can make martenitza while participating in an event.
Vulnerability Details
When joining an event , a user becomes producer which unlocks his ability to create martenitrzas.
function joinEvent() external {
require(block.timestamp < eventEndTime, "Event has ended");
require(!_participants[msg.sender], "You have already joined the event");
require(!isProducer[msg.sender], "Producers are not allowed to participate");
require(_healthToken.balanceOf(msg.sender) >= healthTokenRequirement, "Insufficient HealthToken balance");
_participants[msg.sender] = true;
participants.push(msg.sender);
emit ParticipantJoined(msg.sender);
(bool success) = _healthToken.transferFrom(msg.sender, address(this), healthTokenRequirement);
require(success, "The transfer is not successful");
_addProducer(msg.sender);
}
This happens when he is added as producer at the end of the joinEvent funtion.
Impact
High, matenitzas will be created non stop.
Tools Used
Manual review
Recommendations
Add another role instead of being a producer.
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.