Submission Details
Severity:
health tokens are locked in MartenitsaEvent contract
Summary
health tokens are locked in MartenitsaEvent contract
Vulnerability Details
When owner starts an event in MartenitsaEvent, users who are not an producer will join this event to become an temporary producer via joining event. The condition for joining this event is to pay 1 HealthToken. So MartenitsaEvent contract will earn some profits. However, these profits cannot be withdraw because of lacking related function and will be locked in this contract forever.
function joinEvent() external {
require(block.timestamp < eventEndTime, "Event has ended");
require(!_participants[msg.sender], "You have already joined the event");
require(!isProducer[msg.sender], "Producers are not allowed to participate");
require(_healthToken.balanceOf(msg.sender) >= healthTokenRequirement, "Insufficient HealthToken balance");
_participants[msg.sender] = true;
participants.push(msg.sender);
emit ParticipantJoined(msg.sender);
(bool success) = _healthToken.transferFrom(msg.sender, address(this), healthTokenRequirement);
require(success, "The transfer is not successful");
_addProducer(msg.sender);
}
Impact
Profits in MartenitsaEvent will locked forever.
Tools Used
Manual
Recommendations
Add one withdraw() function to withdraw the related profits.
Updates
Lead Judging Commences
bube about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
HealthTokens in MartenitsaEvent
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.