High risk, Medium risk and Low risk findings
Summary
The "Baba Marta" protocol offers users the opportunity to purchase and gift MartenitsaTokens to friends. Additionally, users can become producers, enabling them to create and sell MartenitsaTokens. There's also a competition where producers can submit their MartenitsaTokens for voting, with non-producers having the ability to vote. The winning MartenitsaToken earns its producer a HealthToken . If a user isn't a producer but desires a HealthToken , they can obtain one by accumulating three different MartenitsaTokens. The more MartenitsaTokens a user collects, the more HealthTokens they receive. HealthTokens serve as tickets to an exclusive event where participants assume the producer role, enabling them to create and sell their own MartenitsaTokens during the event.
Vulnerability Details
High vulnerability findings
[H-1] joinEvent::MartenitsaEvent is susceptible to reentracy attacks since the state variables are not updated before external calls.
[H-2] buyMartenitsa::MartenitsaMarketplace is susceptible to reentracy attacks as external calls are made before updating state variables
[H-3] announceWinner::MartenitsaVoting may be vulnerable to potential integer overflow
Medium vulnerability findings
[M-1]distributeHealthToken::HealthToken distribute health tokens could be lost if the transfer fails.
Low vulnerability findings
[L-1]requiredMartenitsaTokens::MartenitsaMarketplace is declared but not used in the contract
Impact
These issues could undermine the security, reliability, and usability of the MartenitsaEvent contract, potentially resulting in financial losses, user dissatisfaction, and reputational damage to the project or platform deploying the contract. Therefore, it's crucial to address these issues promptly to mitigate their impact and ensure the integrity and robustness of the contract. Proof of Concept: A malicious contract could exploit the reentrancy vulnerability in the joinEvent function to repeatedly drain funds or manipulate the state of the MartenitsaEvent contract.
The buyMartenitsa function extends beyond financial losses to encompass token ownership manipulation, service disruptions, data integrity risks, and loss of user trust
The announceWinner The impact of the potential integer overflow vulnerability in the announceWinner function can be significant if exploited. This can lead to incorrect winner determination, unintended reward distribution, loss of trust and reputation and operational disruption.
Tools Used
No automated analysis tools were utilized to identify this issue. The vulnerability was discovered through manual inspection of the contract code.
Recommendations
For the joinEvent function To address these issues, you can consider the following improvements:
-Implement the checks-effects-interactions pattern to ensure that internal state changes are completed before interacting with external contracts or calling external functions. -Add checks to verify if the event is active and if the caller has already joined the event. -Consider using a data structure like a dynamic array or a mapping to efficiently track participants and prevent duplicate entries. -Use synchronization mechanisms such as mutex locks or reentrancy guards to prevent race conditions in concurrent transactions.
To mitigate this reentrancy vulnerability, we can follow the checks-effects-interactions pattern
For the announceWinner To address this vulnerability, we should ensure that the calculation of maxVotes is performed safely and does not result in an overflow. We can achieve this by using proper input validation and implementing safe arithmetic operations.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.