Submission Details
Severity:
User can participate with zero amount of token deposite
Summary
In ChristmasDinner.sol:deposit function there no check for minimum amount, so attacker can join event with passing token amount as "ZERO".
Vulnerability Details
Code below is from 'ChristmasDinner.sol' it does not have check for how many token is deposited.
function deposit(address _token, uint256 _amount) external beforeDeadline {
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
if(participant[msg.sender]){
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
participant[msg.sender] = true;
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
POC
function test_depositBeforeDeadline() public {
vm.warp(1 + 3 days);
vm.startPrank(user1);
cd.deposit(address(wbtc), 0);
assertEq(cd.getParticipationStatus(user1), true);
assertEq(wbtc.balanceOf(address(cd)), 0);
vm.stopPrank();
}
Impact
There is direct loss of funds because attacker can join event for free of cost and anyone can do it. So impact is HIGH.
Tools Used
Manual review
Recommendations
There must be a check for zero amount of tokens.
require( _amount > 0 , "Amount must be greater than zero")
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.