Submission Details
Severity:
Lacks zero value check for `amount` in function `ChristmasDinner::deposit`
Summary :
User can deposit 0 amount by taking advantage of lacking this zeo value check for amount in function ChristmasDinner::deposit
Vulnerability Details :
User will pay 0 amount and will be added to the participation list. The total amount collected from the user won't match with the total participants if the user will take advantage of this vulnerability. This leads to the budget issues in managing the event.
Proof of Code :
Include this test in your ChristmasDinnerTest.t.sol
function test_CanUserPayZeroAmountAndDoParticipate() public{
console.log("participation status of user1 before deposit is ",cd.getParticipationStatus(user1));
vm.prank(user1);
cd.deposit(address(wbtc),0);
console.log("participation status of user1 before deposit is ",cd.getParticipationStatus(user1));
}
Impact :
Medium
Tools Used :
Manual Review
Unit testing
Recommendations :
Add zero address check for the amount in function ChristmasDinner::deposit
function deposit(address _token, uint256 _amount) external beforeDeadline {
+ require( _amount > 0 ,"Invalid amount");
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
if(participant[msg.sender]){
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
participant[msg.sender] = true;
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.