Submission Details
Severity:
Refund Function Doesn't Update Participation Status
Summary
Users can get refunded but remain as participants in the dinner event.
Vulnerability Details
function refund() external nonReentrant beforeDeadline {
address payable _to = payable(msg.sender); //@audit reentracy attack since the nonReentrant modifier is not implemented proper
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}
After participants have taken their money (been refunded), their participant status isn't updated to false, leaving them as a participant in the dinner.
Impact
Users can get refunded but still appear as participants, leading to incorrect participant counting and potential confusion. Attackers can decide to pay and join, get refunded, and still enjoy the dinner.
Tools Used
Manual review
Recommendations
Update the participant status after being runfed
function refund() external nonReentrant beforeDeadline {
address payable _to = payable(msg.sender); //@audit reentracy attack since the nonReentrant modifier is not implemented proper
_refundERC20(_to);
_refundETH(_to);
participant[msg.sender] = false;
emit Refunded(msg.sender);
}
Updates
Lead Judging Commences
0xtimefliez about 1 year ago
Submission Judgement Published Assigned finding tags:
refund does not update participation status
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.