Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

No deadline check on changeParticipationStatus could allow a user to change their participation status after deadline

w33ked

Summary

Insufficient deadline check on ChristmasDinner::changeParticipationStatus when msg.sender is a participant, allows a participant to change their status after dealine.

Vulnerability Details

The first condition of the if statement lacks a check whether block.timestamp is past deadline. By changing status to false, the funds will be moved to generous donations. However, this might cause significant disruptions to event planning.

Impact

Event interruptions as event hosts might need to make other plans than what they had before deadline.

Proof Of Code

Add this function to ChristmasDinnerTest.t.sol

function test_changeParticipationAfterDeadline() public {
vm.startPrank(user1);
cd.deposit(address(wbtc), 0.1e18);
cd.changeParticipationStatus();
vm.warp(1 + 8 days);
cd.changeParticipationStatus();
vm.stopPrank();
}

Tools Used

Manual Review

Recommendation

In ChristmasDinner::changeParticipationStatus function, add a deadline check for when msg.sender is in the participants list.

function changeParticipationStatus() external {
-- if (participant[msg.sender]) {
++ if (participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = false;
} else if (!participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!