Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Unauthorized Participation Status Change

kobbyeugene

Summary

Users can become participants without making any deposits using the changeParticipationStatus function.

Vulnerability Details

function changeParticipationStatus() external {
if(participant[msg.sender]) {
participant[msg.sender] = false;
} else if(!participant[msg.sender] && block.timestamp <= deadline) {//@audit-info user can become a participant on deadline
// @audit an attacker can become a participant without paying using this function
// @audit-info should check if user was a privious participant, did the user request for refund or not? before becoming a particapant again
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}

When a non-participant calls this function, the first condition will fail moving to the next condition where the msg.sender isn't checked if the user was a previous participant who took refund or didn't take refund and wants to join the dinner again or is entirely a new participant.

Impact

This allows users to participate in the dinner event without contributing any funds.

Tools Used

Manual review

Recommendations

If a users leaves without a refund, the user must be marked as previousParticipant and when the changeParticipationStatusis called, the previousParticipantshould be checked before updating the status of the user to true

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usage of change participation logic circumvents deposit

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!