Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

DOS Attack via Change Participation Status (Root Cause: Unrestricted calls to `ChristmasDinner::changeParticipationStatus` function) :

etijie

Summary

The ChristmasDinner::changeParticipationStatus function allows users to change their participation status. However, it is vulnerable to a Denial of Service (DOS) attack. A malicious actor can repeatedly call this function, which may lead to high gas consumption, making it expensive or unfeasible for legitimate users to change their participation status. This could prevent users from modifying their status or interacting with the contract in a meaningful way.

Vulnerability Details

Proof of Concept:

A malicious actor can repeatedly call the ChristmasDinner::changeParticipationStatus function, causing a high gas consumption that impacts legitimate users.

contract Exploit {

ChristmasDinner dinner;

constructor(address _dinnerAddress) {

dinner = ChristmasDinner(_dinnerAddress);

}

function exploit() public {

for (uint i = 0; i < 1000; i++) {

dinner.changeParticipationStatus(); // Repeatedly calling changeParticipationStatus

}

// SPDX-License-Identifier: MIT

pragma solidity 0.8.27;

import "forge-std/Test.sol";

import { ChristmasDinner } from "./ChristmasDinner.sol";

contract TestDOSChangeParticipationStatus is Test {

ChristmasDinner dinner;

function setUp() public {

dinner = new ChristmasDinner(address(0), address(0), address(0));

}

function testChangeParticipationStatusSpam() public {

// Attack by calling changeParticipationStatus multiple times

for (uint i = 0; i < 1000; i++) {

dinner.changeParticipationStatus(); // Repeatedly calling changeParticipationStatus

}

Impact

The attack could lead to a significant increase in gas fees for legitimate users attempting to change their participation status. If an attacker continually triggers this function, it may make it impossible for legitimate users to interact with the contract or cause significant delays, undermining the fair operation of the event.

Tools Used

aderyn, slither, foundry forge

Recommendations

Implement a rate limit for participation status changes or introduce a cooldown period between status changes to prevent spamming.
Consider adding a restriction on how frequently a user can change their participation status, ensuring that excessive calls are not possible.

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!