Beginner FriendlyFoundryGameFi
100 EXP
View results
Submission Details
Severity: medium
Valid

DOS after buying the winner Martenitsa token

Summary

There is a Denial Of Service after buying the winner Martenitsa token.

Vulnerability Details

A malicious actor can:

  1. Wait for the vote to end.

  2. Buy the winner token before announceWinner() is executed.

Notice that a token must be for sale to be eligible to enter a vote.

In MartenitsaVoting.sol when calling announceWinner(), it gets the listing of winnerTokenId. Now getListing() requires the token to be for sale. If a malicious actor buys the token before announceWinner() is called, it will set listing.forSale to false making getListing() fails, therefore a denial of service.

Impact

Prevent the winner from getting the reward.

Tools Used

Manual review.

Recommendations

Consider adding logic to prevent the winning token from being purchased until announceWinner() has been executed.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Unable to receive reward

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.