First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Producers are not prevented from voting via `MartenitsaVoting::voteForMartenitsa`

irondevx

Summary

Producers are able to vote for MartenitsaTokens, contrary to the specified protocol design.

Vulnerability Details

The MartenitsaVoting::voteForMartenitsa currently allows anyone to vote on MartenitsaTokens, contrary to the intended system design which specifies that only non-producer users are eligible to vote.

Impact

Allowing producers to vote may result in biased outcomes in voting contests, as producers could potentially vote for their own entries or manipulate the results to favor certain outcomes. This could damage the integrity and credibility of the voting process, leading to reduced trust among participants.

Tools Used

Foundry, manual review

Proof of code

Code Add the following code to the `MartenitsaVoting.t.sol` file:
function test__VoteForMartenitsa__AsProducer() public listMartenitsa {
vm.prank(chasy); // chasy == producer
vm.expectRevert();
voting.voteForMartenitsa(0); // --> will not revert
assert(voting.hasVoted(chasy) == false);
}

Recommendations

Implement an additional check in the MartenitsaVoting::voteForMartenitsa function to verify that the caller is not a producer before allowing them to vote.

Note: make sure to include MartenitsaToken as a storage variable beforehand.

function voteForMartenitsa(uint256 tokenId) external {
+ require(!_martenitsaToken.isProducer(msg.sender), "You cannot vote as producer");
require(!hasVoted[msg.sender], "You have already voted");
// ...
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Producers vote for themself

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.