User can influence `MartenitsaMarketplace` market by using `joinEvent` function
Summary
User can influence MartenitsaMarketplace market by using joinEvent function.
Vulnerability Details
As HealthToken has ERC20 standard, users can transfer HealthTokens using transferFrom and transfer functions.
After obtaining many HealthTokens using MartenitsaMarketplace::collectReward function, a malicious actor/user can use transferFrom and transfer functions to transfer 1 HealthToken to each of malicious user's other accounts and enter the MartenitsaEvent::joinEvent function collectively to join the event.
After entering the event and becoming the producer, the malicious user can singlehandedly, increase or decrease the price of MartenitsaTokens from all his accounts which can influence the MartenitsaMarketplace user/producer market.
Impact
A single user can influence the MartenitsaMarketplace market by selling MartenitsaTokens at a very low price or very high price through his various other addresses. Hence, increasing or decreasing the overall price of the MartenitsaTokens in the user/producer market.
Tools Used
Manual Review
Recommendations
Add revert statement in transferFrom and transfer functions such that every time these functions are called, they will be reverted. Thus, making transfer of HealthTokens impossible for any user be it malicious or not.
Lead Judging Commences
ERC20 `transfer` not overriden
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.