Submission Details
Severity:
No Vote during voting period cause toeknId 0 to win
Summary
To find the winner of the voting, the announceWinner function scan the _tokenIds to find the tokenId that received more votes.
If the _tokenIds is empty the winnerTokenId will not be initialized, thus emitting a WinnerAnnounced event with a token Id of 0 and transfering the HealthToken to the seller of the token with Id 0
Impact
The producer of the token 0 has an unfair advantage.
Proof of Concept:
Add this test to MartenitsaVoting.t.sol
Proof Of Code
function testAnnounceWinnerWithNoVote() public listMartenitsa {
vm.warp(block.timestamp + 1 days + 1);
vm.recordLogs();
voting.announceWinner();
Vm.Log[] memory entries = vm.getRecordedLogs();
address winner = address(uint160(uint256(entries[0].topics[2])));
assert(winner == chasy);
}
Tools Used
Foundry
Recommendations
In announceWinner check if there are no votes
function announceWinner() external onlyOwner {
require(block.timestamp >= startVoteTime + duration, "The voting is active");
+ require(_tokenIds.length > 0, "The are no votes");
uint256 winnerTokenId;
...
Updates
Lead Judging Commences
bube over 1 year ago
Submission Judgement Published Assigned finding tags:
`tokenId=0` wins the voting
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.