Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`ChristmasDinner::refund` function does not update participant status can lead to discrepancies between head count and funds for the event

trashpirate

Summary

The function ChristmasDinner::refund should update the participant status to false when a user issues a refund as they do not wish to attend the event anymore. Failing to update the participant status can lead to discrepancies between the head count and the funds available for the event.

Vulnerability Details

The main purpose of the protocol is to track participant signups and collect funds for the event. The ChristmasDinner::refund function allows users to issue a refund if they decide that they don't want to attend the event anymore. However, the implementation of the refund function does not update the participant status to false when a user issues a refund. If a user issues a refund but their participant status is not updated, the host may think that the user is still attending the event and the funds for the event may not be accurate. Or users, aware of the issue, may try to exploit it by issuing a refund but still attending the event.

function refund() external nonReentrant beforeDeadline {
@> // missing line to update participant status to false
address payable _to = payable(msg.sender);
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}

Proof of Concept

In the following scenario, a user could issue a refund but still attend the event:

  1. User signs up for the Christmas dinner by sending ETH or tokens to the contract.

  2. User issues a refund before the deadline.

  3. The refund function does not update the participant status to false.

  4. User attends the event despite issuing a refund.

Code:

Place following code into ChristmasDinnerTest.t.sol to demonstrate the issue:

function test_refundWithoutStatusUpdate() public {
uint256 depositAmount = 1e18;
// user1 signs up with WETH
vm.prank(user1);
cd.deposit(address(weth), depositAmount);
assertEq(weth.balanceOf(address(cd)), depositAmount);
// user1 issues a refund
vm.warp(3 days);
vm.prank(user1);
cd.refund();
// user1 is still signed up for the event
bool partipantStatus = cd.getParticipationStatus(user1);
assertEq(partipantStatus, true);
}

Impact

Since the main purpose of the protocol is to track user partipation and collect sufficient funds for the event, the impact of not updating the partipant status during a refund is high - it defeats the purpose of the protocol. The host may not have an accurate head count for the event and may not have sufficient funds to cover the costs. This can lead to planning issues and financial discrepancies for the event.

Tools Used

Foundry, manual review, custom test

Recommendations

It is recommended to update the participant status to false when a user issues a refund. This will ensure that the host has an accurate head count for the event and can plan accordingly. This will also prevent users from exploiting the system by issuing a refund but still attending the event.

function refund() external nonReentrant beforeDeadline {
+ participant[msg.sender] = false;
address payable _to = payable(msg.sender);
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

refund does not update participation status

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!