Submission Details
Severity:
`MartenitsaVoting:voteForMartenitsa` user can vote even startvoting is not started from the genesis block to the 86400 blocks.
Summary
MartenitsaVoting:voteForMartenitsa user can vote even startvoting is not started from the genesis block to the 86400 blocks, what represent approximatively 14 days.
Vulnerability Details
In MartenitsaVoting contract even if startVoteTime == 0 ; instead of startVoteTime = block.timestamp; it's possible for users to pass the require control structure in MartenitsaVoting:voteForMartenitsa during the first 86400 blocks (~14days).
/**
* @notice Function to vote for martenitsa of the sale list.
* @param tokenId The tokenId of the martenitsa.
*/
function voteForMartenitsa(uint256 tokenId) external {
require(!hasVoted[msg.sender], "You have already voted");
require(block.timestamp < startVoteTime + duration, "The voting is no longer active");
list = _martenitsaMarketplace.getListing(tokenId);
require(list.forSale, "You are unable to vote for this martenitsa");
hasVoted[msg.sender] = true;
voteCounts[tokenId] += 1;
_tokenIds.push(tokenId);
}
Impact
Users can vote during the first 14 days even if voting is not started
Tools Used
Manuel review
Recommendations
Add a second check in require structure control in MartenitsaVoting:voteForMartenitsa
require(startVoteTime != 0 && block.timestamp < startVoteTime + duration, "The voting is no longer active");
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.