First Flight #13: Baba Marta

First Flight #13

Beginner FriendlyFoundryGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

function joinEvent doesn't check if the event has started

AniketTyagi

Summary

  function joinEvent() external {
          require(block.timestamp < eventEndTime, "Event has ended"); 
  require(
        !_participants[msg.sender],
        "You have already joined the event"
    );
    require(
        !isProducer[msg.sender],
        "Producers are not allowed to participate"
    );
    require(
        _healthToken.balanceOf(msg.sender) >= healthTokenRequirement,
        "Insufficient HealthToken balance"
    );

    _participants[msg.sender] = true;
    participants.push(msg.sender);
    emit ParticipantJoined(msg.sender);

    bool success = _healthToken.transferFrom(
        msg.sender,
        address(this),
        healthTokenRequirement
    );
    require(success, "The transfer is not successful");
    _addProducer(msg.sender);
}

It checks that the event hasn't ended yet but it doesn't check if the event has started.

Vulnerability Details

As it doesn't check that event has started, so that users can join before event has started.

Impact

High

PoC

   function testJoinEventBeforeStart() public eligibleForReward {
    // Try to join the event before it starts
    martenitsaEvent.joinEvent();

    // Verify that the participant has joined
    assertTrue(martenitsaEvent.getParticipant(chasy), "Participant should have joined the event");
}

This test demonstrates that the joinEvent function allows participation even before the event has started, which is not the intended behavior according to the requirements.

Tools Used

Manual Review

Recommendations

By adding the require(block.timestamp >= eventStartTime, "Event has not started yet"); line, you ensure that participants can only join the event after its start time. If this condition is not met, the transaction will revert with the error message "Event has not started yet".

function joinEvent() external {

+ require(block.timestamp >= eventStartTime, "Event has not started yet");

require(block.timestamp < eventEndTime, "Event has ended");

require(!_participants[msg.sender], "You have already joined the event");

require(!isProducer[msg.sender], "Producers are not allowed to participate");

require(_healthToken.balanceOf(msg.sender) >= healthTokenRequirement, "Insufficient HealthToken balance");

_participants[msg.sender] = true;

participants.push(msg.sender);

emit ParticipantJoined(msg.sender);

bool success = _healthToken.transferFrom(

msg.sender,

address(this),

healthTokenRequirement

);

require(success, "The transfer is not successful");

_addProducer(msg.sender);

}

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

239

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.