Incorrect participant Update and Missing deadline Check in receive()
Summary
The receive() function, which handles ETH deposits, incorrectly updates the participant status and lacks a deadline check, leading to inconsistencies and allowing deposits after the deadline.
Vulnerability Details
The receive() function has two major flaws:
-
Incorrect participant Update: It does not set participant[msg.sender] = true when a user sends ETH. This means users who send ETH are not considered participants.
-
Missing deadline Check: It does not check if block.timestamp is before the deadline, allowing users to send ETH even after the deadline has passed.
receive() external payable {etherBalance[msg.sender] += msg.value;emit NewSignup(msg.sender, msg.value, true);}
Impact
Inconsistent State: Users who send ETH are not marked as participants, leading to inconsistencies in the contract's state.
Deposits After Deadline: Users can deposit ETH after the deadline, which should not be allowed.
Tools Used
Manual Code Review
Recommendations
-
Update participant Status: Add participant[msg.sender] = true; to correctly mark ETH senders as participants.
-
Add deadline Check: Add require(block.timestamp <= deadline, "Deadline passed"); to prevent ETH deposits after the deadline.
receive() external payable {require(block.timestamp <= deadline, "Deadline passed");participant[msg.sender] = true;etherBalance[msg.sender] += msg.value;emit NewSignup(msg.sender, msg.value, true);}
Lead Judging Commences
receive does not update participation status
receive() function independant from deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.