Owner as a producer can act maliciously to win the voting event in `MartenitsaVoting` contract(edge case)
Summary
Owner as a producer can act maliciously to win the voting event in MartenitsaVoting contract (edge case).
Vulnerability Details
Owner can enter announceWinner function without entering startVoting function, that means that, owner can end the voting event without giving anyone the chance to participate in the event.
This along with the vulnerability titled tokenId 0's producer can win the voting event by default in case of 0 votes in MartenitsaVoting contract (Edge Case)., owner can first become the first MartenitsaToken holder with the 0 tokenId. After this owner can enter announceWinner function without entering startVoting function.
As stated in the mentioned vulnerability, by default, the winner of the voting event will be MartenitsaToken holder with the 0 tokenId in case where there are no votes. Thus, owner will win by default without giving any user any chance to participate in the voting event.
Impact
After the owner has completed the setup of the protocol. He can participate in the protocol as a producer. Owner can use his privileges of being the owner to maliciously win the voting event as a producer and gaining HealthToken.
Tools Used
Manual Review
Recommendations
Change the conditions of announceWinner function such that owner cannot enter/access this function without using startVoting function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.