MartenitsaVoting::voteForMartenitsa
function. A bad actor can manipulate the voting competition.Description: There are no checks/ access controls or costs inside the MartenitsaVoting::voteForMartenitsa
function that will prevent a malicious user from creating 100 wallets, and vote his own listing from all of them. The only things that this function checks are if msg.sender
already voted, if the voting period has started, and if the Martenitsa token is listed for sale.
Impact: A malicious user can create an indefinite number of new wallets and vote his own token in order to win the competition.
Recommended mitigation: Add additional enforcements in place such as, only martenitsa token holders can vote or only health token holders can vote, etc.
Tools used: Manual review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.