Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Current implementation of `ChristmasDinner::deposit` and `ChristmasDinner::receive` function does not allow users to sign up friends

trashpirate

Summary

The current implementation of the ChristmasDinner::deposit and ChristmasDinner::receive functions does not allow users to sign up friends for the event. The functions only allow the user to sign up themselves.

Vulnerability Details

According to the specifications and docs, the contract should allow users to sign up friends for the event. However, the current implementation only allows user to sign up themselves as the participant status is directly linked to msg.sender. This is the case for both, the ChristmasDinner::deposit function and the ChristmasDinner::receive function.

function deposit(address _token, uint256 _amount) external beforeDeadline {
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
@> if(participant[msg.sender]){
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
@> participant[msg.sender] = true;
@> balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
@> emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}
receive() external payable {
etherBalance[msg.sender] += msg.value;
@> emit NewSignup(msg.sender, msg.value, true);
}

Proof of Concept

The current implementation of ChristmasDinner.sol simply does not allow signing up friends directly. The only way a user could sign up a friend would be by having access to the friend's private key or through another contract that represents the "friend" and calls the deposit function on behalf of the friend.

Impact

This issue is considered as having low impact. The main impact is that the contract does not provide the functionality as intended. If the contract is supposed to implemented accoding to the specifications in the docs, this functionality should be added. However, if the contract is intended to only allow users to sign up themselves, this is not an issue.

Tools Used

Foundry, manual review

Recommendations

To allow users to sign up friends for the event using whitelisted tokens, the ChristmasDinner::deposit should be updated to accept an additional parameter for the friend's wallet address. To also allow friend sign ups using ETH, the ETH sign ups would need to be redesigned as the receive function does not allow any parameters. In that case, ETH sign ups could be integrated in the deposit function. Note, that this would be a minimal facilitation of friend sign ups. Allowing users to sign up their friends might require a more extensive redesign of the contract to address the following questions:

  1. Are the donated funds tracked separately or for the signer of the transaction?

  2. How are refunds handled for friends that were signed up by a user?

  3. Who can issue refunds - the user who signed up the friend or the friend themselves?

  4. How can a user claim a refund for the friend or themselves?

  5. Can a user change a friend's partipant status or only the friend themselves?

It is recommended to clarify these questions and implement the desired functionality accordingly.

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Deposit function lacks functionality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!