Unrestricted Participant Enrollment Without Deposit
Summary
The changeParticipationStatus() function allows users to become participants in the event without requiring a deposit. This can be exploited by users who want to gain participant status without contributing any funds, potentially leading to unfair benefits.
Vulnerability Details
The second else if condition in the changeParticipationStatus() function allows users to change their participation status to true (i.e., become participants) as long as they haven't already participated and the deadline has not passed. However, it does not require a deposit to become a participant, allowing users to mark themselves as participants without contributing any funds.
Impact
This vulnerability allows users to gain participant status and potentially access benefits (such as refunds or event-related privileges) without making any deposits. This undermines the intended purpose of the contract, where only those who contribute should be considered participants.
Tools Used
Manual code review
Recommendations
Update the changeParticipationStatus() function to ensure that a user can only become a participant if they have made a deposit (either in Ether or a supported token). This can be done by checking the user's deposit balances before allowing them to change their participation status.
Example fix:
Lead Judging Commences
usage of change participation logic circumvents deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.