Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Anyone can become a banquet participant without paying the registration fee.

hyer

Summary

Users can attend the Christmas social dinner directly without paying the registration fee.

Vulnerability Details

https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L151-L152

function changeParticipationStatus() external {
if(participant[msg.sender]) {
participant[msg.sender] = false;
} else if(!participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}

From the changeParticipationStatus() function, we can see that in the else if condition, if the user is not already a participant, they can still change their status to "true" as a participant before the deadline. This allows them to become a participant without paying the registration fee.

Impact

By this method, any user can make themselves a participant of the dinner, which violates the contract's intended rules.

Tools Used

Manual Review

Recommendations

Under the else if condition, add a call to a deposit function, so that users can only change their participation status to true after making a deposit.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

usage of change participation logic circumvents deposit

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.