`participants` variable is not deleted after event which leads to DOS of `stopEvent` function
Summary
participants variable is not deleted after event which leads to owner unable to stop event.
Vulnerability Details
After event is started using startEvent function, users participates in the event using joinEvent function. When a user enter this function, his account's address is added in the participants array variable which stores all the current participants of the contract.
The issue arises when the event is ended. When event ends using stopEvent function, users who participated in the event are no longer participants so their addresses should be removed from participants variable after the event ends. But the stopEvent function does not deletes the users added. Making the participants variable a ever growing list with new additions after each event.
Impact
After many events, the participants array variable will become very large such that when owner runs stopEvent function, it reaches gas limit and the transaction will revert. Due to this, owner won't be able to stop the event, therefore, resulting in the DOS of stopEvent function and the event will always be active.
Tools Used
Manual Review
Recommendations
Add this code in MartenitsaEvent::stopEvent function:
Lead Judging Commences
_participants is not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.