tokenId 0's producer can win the voting event by default in case of 0 votes in `MartenitsaVoting` contract (Edge Case)
Summary
tokenId 0's producer can win the voting event by default in case of 0 votes in MartenitsaVoting contract (Edge Case).
Vulnerability Details
If we look into the announceWinner function of MartenitsaVoting contract, we can see that, in case where there is no votes, by default, the MartenitsaToken whose tokenId is 0, will be the default winner. That is, the first producer's first MartenitsaToken, whose tokenId is 0, will be the default winner in case where there are 0 votes in the voting event.
Malicious user can use this by always obtaining the first MartenitsaToken whose tokenId is 0 by frontrunning. After that, there can be 2 use cases:
The case where there are 0 votes, the user will become the winner by default.
If the market conditions permit, i.e., if the prices of all the MartenitsaTokens listed are low in the voting event, user can use another bug with titled
User can buy the listed MartenitsaToken to make the producer disqualify from the voting eventto disqualify everyone repeatedly such that no one can vote.
Impact
Although, there are very low chances to for any of the above 2 cases to happen, it still is an edge case where by default, the MartenitsaToken whose tokenId is 0, will be the default winner of the voting event and adding the check for the _tokenIds.length to be greater than 0 can remove this edge case.
Tools Used
Manual Review
Recommendations
Include a check in announceWinner function where _tokenIds.length should be greater than 0.
Lead Judging Commences
`tokenId=0` wins the voting
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.