Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Funder can still withdraw funds after opting-out

yoanyjd

Summary

In the refund function of the ChristmasDinner contract, users who have set their participation status to false can still withdraw their funds, even though they are no longer considered participants. This vulnerability allows users who have opted out (referred to as Funders) to withdraw their funds, even though they should not be able to do so, thus enabling exploitation of the refund mechanism.

Vulnerability Details

The refund function does not include a check to ensure that users who are marked as false (opted-out participants) are prevented from withdrawing their funds. As a result, users who have previously chosen to leave the event (set to false) can still call the refund function and retrieve their funds, which goes against the intended behavior of the contract.

Impact

This behavior allows Funders to withdraw their funds even if they are not attending the event, which undermines the fairness of the system.

Tools Used

Manual code review

Recommendations

Add a check to the refund function to ensure that only active participants (those with participant[msg.sender] == true) can withdraw their funds.

function refund() external nonReentrant beforeDeadline {
// Ensure that the user is an active participant before allowing withdrawal
require(participant[msg.sender] == true, "Only active participants can withdraw funds.");
address payable _to = payable(msg.sender);
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!