Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

User can become participation without making a deposit in the changeParticipationStatus function

yoanyjd

Summary

In the changeParticipationStatus function of the ChristmasDinner contract, a user can change their participation status from false to true (to become a participant) without making any deposit. This behavior occurs because there is no check to ensure that a deposit is made before allowing a user to join the event

Vulnerability Details

In the current implementation, a user can change their participation status from false to true even if they haven't deposited any tokens. This happens due to the absence of a requirement that a user must have made a deposit in order to become a participant. The function checks if the user is already a participant (participant[msg.sender] == false), and if not, it allows them to change their participation status to true without any deposit, which is a critical flaw in the logic.

function changeParticipationStatus() external { // not checking if the msg.sender have made a deposit
if(participant[msg.sender]) {
participant[msg.sender] = false;
} else if(!participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}

Impact

This vulnerability allows users to register as participants in the event without contributing any funds, which could lead to the system being misused. For example, a user could register to gain access to benefits or rewards that are intended only for contributors, without actually participating or supporting the event. This also undermines the integrity of the system, as participation should be tied to a deposit or some form of contribution. Also that allows a malicious user who became like that a participant, but has not contributed any funds, to be selected as the host. After becoming the host, they could withdraw all the funds from the contract and steal the assets from other participants.

Tools Used

Manual code review

Recommendations

It is recommended to add a check to the changeParticipationStatus function to ensure that users cannot change their participation status to true without having made a deposit. A possible solution is to add a condition that verifies if the user has a non-zero balance or contribution before allowing them to change their status.

function changeParticipationStatus() external {
if (participant[msg.sender] == true) {
participant[msg.sender] = false;
} else if (participant[msg.sender] == false && block.timestamp <= deadline) {
// Ensure user has deposited before allowing participation
require(balances[msg.sender][address(i_WBTC)] > 0 ||
balances[msg.sender][address(i_WETH)] > 0 ||
balances[msg.sender][address(i_USDC)] > 0 ||
etherBalance[msg.sender] > 0, "You must deposit before participating.");
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usage of change participation logic circumvents deposit

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!