Summary

A single user can have multiple addresses and with that multiple addresses they can join the event, but the Dussehra protocol will think its a different user as the address is different but due to the fact that a single user using multiple address, they can have multiple entries in the protocol.

With that they can call increaseValuesOfParticipants with both tokenIds they own in their different addresses, and it will allow them to always win, as a result of which other participants will never win as the participant tokenId passed belong to same user.

Vulnerability Details

The vulnerability is present in the Dussehra::enterPeopleWhoLikeRam function where it makes people to enter the event who have different addresses, but the same user can also have different addresses, thus same user can enter the event multiple times with different addresses.

As a result of which the user calling increaseValuesOfParticipants function and passing tokenIds that they own in different addresses will make them always win and as they are not passing tokenId that belong to other users they will eliminate the winning of other participants in the protocol.

Therefore, other participants of the protocol will never win if users participate in the protocol with different addresses.

Impact

User participating with multiple entries using different addresses will make other participants to never win, as their tokenId will not be passed in other participant tokenId field.

Tools Used

Manual Review

Recommendations

To perform some whitelisting implementation for users who can take entry in the protocol by verifying their unique identity via off-chain mechanism.