User can buy the winner's listed MartenitsaToken which leads to DOS of `announceWinner` function
Summary
User can buy the winner's listed MartenitsaToken which leads to DOS of announceWinner function.
Vulnerability Details
After voting event has ended and any user can discover the winner of the voting event using getVoteCount function. When owner uses announceWinner function, after deciding the winner tokenId, function calls another function, getListing, of MartenitsaMarketplace contract. This function only returns the address if the MartenitsaToken is listed and can be bought. This means, if the MartenitsaToken is bought, then this function will revert.
A malicious user uses this his adavantage by using getVoteCount function to know the winner and buy it's listed MartenitsaToken via buyMartenitsa function. After that, when owner calls announceWinner function, the function will always revert and thus, leading to DOS.
Impact
This vulnerability leads to the DOS of announceWinner function. Winner producer will not be able to receive the HealthToken and this whole voting event will lose it's meaning.
Tools Used
Manual Review
Recommendations
Rather than retrieving address of the winner tokenId from MartenitsaMarketplace contract, use ownerOf(tokenId) function of ERC721 to get the address.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.