Owner as a producer can act maliciously to win the voting event in MartenitsaVoting
contract (edge case).
Owner can enter announceWinner
function without entering startVoting
function, that means that, owner can end the voting event without giving anyone the chance to participate in the event.
This along with the vulnerability titled tokenId 0's producer can win the voting event by default in case of 0 votes in MartenitsaVoting contract (Edge Case).
, owner can first become the first MartenitsaToken holder with the 0 tokenId
. After this owner can enter announceWinner
function without entering startVoting
function.
As stated in the mentioned vulnerability, by default, the winner of the voting event will be MartenitsaToken holder with the 0 tokenId
in case where there are no votes. Thus, owner will win by default without giving any user any chance to participate in the voting event.
After the owner has completed the setup of the protocol. He can participate in the protocol as a producer. Owner can use his privileges of being the owner to maliciously win the voting event as a producer and gaining HealthToken.
Manual Review
Change the conditions of announceWinner
function such that owner cannot enter/access this function without using startVoting
function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.