First Flight #13: Baba Marta

Summary

MartenitsaVoting contract is not resetting the state variables after each voting period. This leads to issues where users who have voted in a previous round are prevented from voting again, and the vote counts from previous rounds persist, skewing the results of subsequent votes.

Vulnerability Details

The main vulnerability lies in the lack of resetting state variables after each voting period:

1. The MartenitsaVoting::startVoting function is called and the vote can begin.

2. Users vote for a Martenitsa Token.

3. Voting period ends and the winner is announced.

4. The MartenitsaVoting::startVoting function is called again for a new round of vote.

5. Users who have voted in the previous vote round could not vote again, and voteCounts is accumulated from the previous round, which could lead to the incorrect winner.

Impact

• Users who have voted in a previous round are unfairly restricted from participating in subsequent votes.

• Accumulated vote counts from previous rounds skew the results of subsequent votes, leading to incorrect winner announcements.

• Overall, the integrity and fairness of the voting process are compromised, undermining the trust and functionality of the contract.

Tools Used

Manual Review

Recommendations

Consider implementing new instance each vote round.