Selecting only single token as winner in `MartenitsaVoting` even though multiple tokens has same hightest vote count, makes it unfair for those other token
Summary
There is a possibility that multiple Martenitsa Tokens receives the same highest vote count in the MartenitsaVoting contract but announceWinner function selects only single token as winner from the bunch of token ids on the basis of highest received votes, therefore making it unfair for those token holders who receives the same highest vote.
Vulnerability Details
The vulnerability is present in the MartenitsaVoting::announceWinner function where it selects only a single winner even though multiple tokens have received the exactly same hightest vote count.
This makes it unfair for the token ids who receives the same highest amount of votes.
When a user votes for a token id, it is added in the _tokenIds array. The winner deciding implementation is in such a way that out of all token ids who received the same highest vote, that token id is declared as winner which receives their first vote earlier than all other token ids having the same highest votes. As the voting event has its duration, therefore no matter if a token id receives their first vote earlier or at any time, there should be fair play.
Impact
Other tokens who receives same highest amount of vote will not be declared as winner, only one is selected.
Tools Used
Manual Review
Recommendations
Recommendation 1: In case there are more than one winner, Chainlink VRF can be utilized to get decide the random winner out of all those tokens that received the same highest vote count.
Recommendation 2: Declare all those token ids as winner who received the same highest vote count.
Lead Judging Commences
Tie in voting is not considered
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.