setDeadline() needs 0 check and to update deadlineSet
Summary
The seatDeadline() doesn't update the deadlineSetto true when the deadline is set and neither has any 0 check implemented as a safety check.
Vulnerability Details
If we dont check whether _daysis 0 or not, it could lead to a Denial of Service. And if the deadlineSet isn't updated to true when the deadline is set, the host can keep changing the deadline whenever they wish to. The revert DeadlineAlreadySet() will never be executed.
Impact
Attack:
After the contract has been deployed with a deadline set, a malicious host can call the function later again with _days = 0then the deadline would become the current block.timestamp, meaning the deadline is effectively immediate. Any functionality dependent on this deadline would become inaccessible as soon as the transaction is mined, as subsequent blocks would have a block.timestamp greater than deadline. And then the host could withdraw everything out scamming the participants.
This could serve as a DoS (Denial of Service). Resulting in users not being able to access their funds anymore.
A malicious host can also change the deadline suddenly to an earlier date without prior notice, resulting in participants not able to refund their funds if they planned to later because the deadlineSet value is never updated
Tools Used
Manual Review
Recommendations
Add a check for _days > 0and deadlineSet = truein the else block so the state is updated when deadline is set
Appeal created
deadline is never set to true
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.