Participants retain event status after refund, allowing fraudulent access
Summary
In the refund function of the ChristmasDinner contract, when a user requests a refund, their participation status is not reset to false. As a result, after receiving their funds back, the user remains marked as a participant, which allows them to retain event participation status without contributing. This issue can potentially allow users to fraudulently participate in the event without actually committing funds.
Vulnerability Details
The refund function in the ChristmasDinner contract handles the return of both ERC20 tokens and Ether, but it does not reset the participation status of the user after the refund. Specifically, the participant[msg.sender] value remains true after the refund is processed, meaning the user is still considered a participant despite having withdrawn their funds.
These lines refund the user's tokens and Ether, but they fail to reset the user's participation status in the participant mapping to false. Therefore, a user can receive a refund but still be considered a participant, allowing them to access event benefits without contributing any funds.
Impact
A user who withdraws their funds can still retain the status of a participant, allowing them to continue interacting with the event in ways that other participants cannot. This may include accessing benefits or participating in event-related logic. When the host depends on the list of participants the user could exploit this vulnerability to gain undeserved access to the Christmas dinner.
Tools Used
Manual code review
Recommendations
To mitigate this issue, the contract should ensure that the user's participation status is reset to false after a refund is issued.
Lead Judging Commences
refund does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.