First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

MEV attack in `MartenitsaVoting::announceWinner`

kostov

Summary

MEV attack in MartenitsaVoting::announceWinner - the attacker gets the reward or DoS the contract.

Vulnerability Details

Just before the winner is announced, the attacker will buy the winning token by MartenitsaMarketplace::buyMartenitsa and the token will be deleted from the tokenIdToListing mapping. The attacker will make his transaction go before the announceWinner transaction.

Now the attacker has two choices:

List the token again in the MartenitsaMarketPlace and then the HealthToken reward will go to the attacker instead of the actual winner
Don't list the token again and DOS the MartenitsaVoting::announceWinner. When MartenitsaMarketPlace::getListing is called in MartenitsaVoting::accounceWInner, the function will revert, because it expects that the token is listed for sale - require(listing.forSale, "Token is not listed for sale");

function announceWinner() external onlyOwner {

require(block.timestamp >= startVoteTime + duration, "The voting is active");

uint256 winnerTokenId;

uint256 maxVotes = 0;

for (uint256 i = 0; i < _tokenIds.length; i++) {

if (voteCounts[_tokenIds[i]] > maxVotes) {

maxVotes = voteCounts[_tokenIds[i]];

winnerTokenId = _tokenIds[i];

}

list = _martenitsaMarketplace.getListing(winnerTokenId);

_healthToken.distributeHealthToken(list.seller, 1);

emit WinnerAnnounced(winnerTokenId, list.seller);

}

function getListing(uint256 tokenId) external view returns (Listing memory) {

Listing memory listing = tokenIdToListing[tokenId];

require(listing.forSale, "Token is not listed for sale");

return tokenIdToListing[tokenId]; //@audit-info - could return listing here

}

Impact

The attacker will get the reward instead of the actual winner or will DoS the MartenitsaVoting::announceWinner.
The voting can't be started again because as it is stated in the README - The voting takes place only once.

Tools Used

Manual Review

Recommendations

Use Flashbots or change the rules that not only listed for sale tokens can participate in the vote.
The second option is recommended as this issue can happen also without MEV attack, though it is a bit harder to execute.
But if there is small amount of time until the deadline and there is a clear leader in the voting, the same thing can be achieved without MEV.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Unable to receive reward

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.