users added in `producers` variable are not deleted after the event is ended
Summary
users added in producers variable are not deleted after the event is ended.
Vulnerability Details
After event is started using startEvent function, users participates in the event using joinEvent function. When a user enter this function, his account's address is added in the producers array variable which stores all the current producers of the contract.
The issue arises when the event is ended. When event ends using stopEvent function, users who participated in the event are no longer producers so their addresses should be removed from producers variable after the event ends. But the stopEvent function does not deletes the users added. Making the producers variable a ever growing list with new additions after each event, which does not show the correct amount of producers of the contract.
Impact
Users will get the wrong data, i.e., wrong producers when MartenitsaToken::getAllProducers function is called.
Tools Used
Manual Review
Recommendations
Add this code in MartenitsaEvent::stopEvent function:
Lead Judging Commences
Producers array not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.