Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Host can immediately end the sign up period

nadir_khan_sec

Summary

The host can arbitrarily end the sign up period by calling setDeadline() and passing 0 days as the argument. The result is that th sign up period immediately ends. Participants who already registered are locked in losing the ability to change their mind up until the previous deadline that was in place.

Vulnerability Details

function setDeadline(uint256 _days) external onlyHost {
if(deadlineSet) {
revert DeadlineAlreadySet();
} else {
deadline = block.timestamp + _days * 1 days;
emit DeadlineSet(deadline);
}
}

Impact

  1. Prevents participants from benefiting from the sign up period to change their mind or call refund.

  2. Allows hosts to lock in participants who already signed up and contributed.

  3. Allows the host to take the ETH of any participants who tried to sign up via ETH.

    1. Contract receives ETH deposits in receive()

    2. Host calls setDeadline(0)

    3. Host deposits some ETH into ChristmasDinner contract

    4. Host calls refund() and re-enters (from a malicious contract Host controls) until all ETH is drained

See PoC:

See malicious contract:

Tools Used

Manual review

Recommendations

Solution: Allow the host to extend the deadline but not reduce it by implementing following check:

function setDeadline(uint256 _days) external onlyHost {
require( _days != 0);
if(deadlineSet) {
revert DeadlineAlreadySet();
} else {
deadline = block.timestamp + _days * 1 days; //@audit could this be set to 0? then what?
emit DeadlineSet(deadline);
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

deadline is never set to true

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!