Summary

Owner as a producer can act maliciously to win the voting event in MartenitsaVoting contract (edge case).

Vulnerability Details

Owner can enter announceWinner function without entering startVoting function, that means that, owner can end the voting event without giving anyone the chance to participate in the event.

This along with the vulnerability titled tokenId 0's producer can win the voting event by default in case of 0 votes in MartenitsaVoting contract (Edge Case)., owner can first become the first MartenitsaToken holder with the 0 tokenId. After this owner can enter announceWinner function without entering startVoting function.

As stated in the mentioned vulnerability, by default, the winner of the voting event will be MartenitsaToken holder with the 0 tokenId in case where there are no votes. Thus, owner will win by default without giving any user any chance to participate in the voting event.

Impact

After the owner has completed the setup of the protocol. He can participate in the protocol as a producer. Owner can use his privileges of being the owner to maliciously win the voting event as a producer and gaining HealthToken.

Tools Used

Manual Review

Recommendations

Change the conditions of announceWinner function such that owner cannot enter/access this function without using startVoting function.