Submission Details
Severity:
Owner of token 0 will always win if there are no votes
Summary
If no one voted and the MartenitsaVoting::announceWinner is called, the owner of tokenId 0 will win.
Vulnerability Details
If MartenitsaVoting::announceWinner function is called and no one voted for a winner, winnerTokenId will never update, and since it's default value is 0, the healthToken is distribited to the owner of TokenId 0.
function announceWinner() external onlyOwner {
require(
block.timestamp >= startVoteTime + duration,
"The voting is active"
);
uint256 winnerTokenId;
uint256 maxVotes = 0;
for (uint256 i = 0; i < _tokenIds.length; i++) {
// the if statement will skip
if (voteCounts[_tokenIds[i]] > maxVotes) {
maxVotes = voteCounts[_tokenIds[i]];
winnerTokenId = _tokenIds[i];
}
}
// winnerTokenId is 0
list = _martenitsaMarketplace.getListing(winnerTokenId);
_healthToken.distributeHealthToken(list.seller, 1);
emit WinnerAnnounced(winnerTokenId, list.seller);
}
Impact
Owner of tokenId 0 will win if no one has voted.
Tools Used
Manual Review
Recommendations
Consider adding logic to prevent the win of tokenId 0 each time there are no votes.
Updates
Lead Judging Commences
bube over 1 year ago
Submission Judgement Published Assigned finding tags:
`tokenId=0` wins the voting
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.