Summary

MartenitsaVoting::announceWinner does not check if the winner NFTs is still listed, and assumes that the owner of the NFT is MartenitsaMarketplace.getListing(tokenId).seller. If the winner NFT is not listed when MartenitsaVoting::announceWinner is called, then the function will effectively try to mint healthToken rewards to address(0) and, hence, MartenitsaVoting::announceWinner will be impossible to successfully execute.

Vulnerability Details

Consider the following scenario:

• UserA owns an NFT and lists it for sale on the Martenitsa marketplace;

• once listed, users can vote on it in the Martenitsa voting event;

• imagine this NFT receives the highest number of votes, positioning it as the sure winner of the event;

• in the meantime, another user purchases this NFT from UserA, based on the existing listing on the marketplace.

• following the sale, the NFT is automatically delisted

• soon after the voting event ends, MartentisaVoting::announceWinner is called,

• MartentisaVoting::announceWinner assumes that the owner of the NFT is MartenitsaMarketplace.getListing(tokenId).seller, which in the case of a delisted NFT is address(0),

• MartenitsaVoting::announceWinnerwill try to minthealthTokenrewards toaddress(0)` and, hence, the transaction will fail.

• it will be impossible to announce a winner until the new owner of the NFT relists it.

Impact

It will be impossible to announce a winner until the new owner of the NFT relists it.

Tools Used

Manual review, Foundry.

Recommendations

Use onwerOf() to send the rewards to the true owner.