First Flight #13: Baba Marta

Summary

User can buy the listed MartenitsaToken to make the producer disqualify from the voting event

Vulnerability Details

After starting the voting event, any user can vote for any producer's MartenitsaToken. But for the producer's MartenitsaToken to be able to take the vote, that MartenitsaToken should be a listed MartenitsaToken in the MartenitsaMarketplace contract that can be bought by other users.

If the listed MartenitsaToken is bought by a user, that MartenitsaToken cannot be used by the producer to compete in voting event. A malicious user can take advantage of this by buying a targeted producer's MartenitsaToken using MartenitsaMarketplace::buyMartenitsa function. Due to this, the affected tokenId will not be take more or any votes from the user before the producer lists another MartenitsaToken.

Impact

A malicious user can disqualify any producer and affect their vote counts. Even if the producer lists another MartenitsaToken and starts competing again in the voting event, still there will be loss of time the producer took to complete the whole recompeting process and also, users who wanted to vote for the said producer will have to wait and may not even get the update of the new change. Thus, producer losing many votes and time to compete fairly in the voting event.

If producer sets the price of the MartenitsaToken very high, although, the malicious actor may not be able to buy it to affect the voting event. But after the voting event, this MartenitsaToken will be redundant as no one will be willing to buy the same MartenitsaToken at a very high price.

Tools Used

Manual Review

Recommendations

Create a different function in MartenitsaVoting contract which will be required to enter if producers want to compete in the voting event. Producers will have to first register with their tokenId for the voting event and then the event will start. This will separate the need to list the tokens in MartenitsaMarketplace contract.