Missing Participant Removal in `ChristmasDinner::refund`
Summary
The refund function is designed to allow participants to withdraw their contributions if they no longer wish to attend the event. However, the implementation lacks a mechanism to remove the participant from the participant list (stored in a mapping). This omission leaves the participant marked as attending despite their refund, leading to potential inconsistencies and exploitation.
Vulnerability Details
The participant mapping stores the attendance status of users, marking them as true when they sign up for the event (ex. through ChristmasDinner::deposit). The refund function allows participants to withdraw their contributions but does not update the participant mapping to remove them from the list. As a result, participants who have been refunded still appear as attending, which could create inaccurate participant records or allow refunded users to potentially exploit other functions dependent on participant status.
PoC
Append the following line of code at the end of the function test_refundWithinDeadline in the test suite:
Run the test with forge test --mt test_refundWithinDeadline -vvvv and observe that the assert passes.
Impact
This vulnerability results in:
- Inaccurate Data: The participant list becomes unreliable, affecting event planning and operations.
- Exploitation Risks: Refunded participants could unfairly benefit from functions intended only for valid attendees and from events, emitted as they became participants but lack of such when refunding.
Tools Used
Manual code review, Foundry
Recommendations
Update the Participant Mapping by removing participants from the list upon a successful refund:
Lead Judging Commences
refund does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.