Submission Details
Severity:
`christmasDinner:: deposit` Function deposit does not provide means for participants to sign up new users
**Description:** The documentation states that a new user can be signed up by other legitimate participants, but the implementation only allows users to sign up themselves.
**Impact:** This prevents legitmate use cases and could break ux.
```javascript
function deposit(address _token, uint256 _amount) external beforeDeadline {
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
if(participant[msg.sender]){
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
//
participant[msg.sender] = true;
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}
```
**Proof of Concept:**
1.Deposit only affects the caller participant.
There is no evidence that alice can sign up bob or any other user.
<details>
<summary>Proof of Code</summary>
contract ChristmasDinnerTest is Test {
ChristmasDinner cd;
ERC20Mock wbtc;
ERC20Mock weth;
ERC20Mock usdc;
uint256 initialSupply = 1000000 * 10e18;
uint256 constant DEADLINE = 7;
uint256 constant DEPOSIT_AMOUNT = 10e18;
//uint256 constant INITIAL_BALANCE = 10e18;
address deployer = makeAddr("deployer");
address alice = makeAddr("participant");
address bob = makeAddr("newUser");
function setUp() public {
// Initialize mock tokens
wbtc = new ERC20Mock("Wrapped Bitcoin", "WBTC", address(this), DEPOSIT_AMOUNT);
weth = new ERC20Mock("Wrapped Ether", "WETH", address(this), initialSupply);
usdc = new ERC20Mock("USD Coin", "USDC", address(this), initialSupply);
// Deploy the ChristmasDinner contract
vm.startPrank(deployer);
cd = new ChristmasDinner(address(wbtc), address(weth), address(usdc));
cd.setDeadline(DEADLINE);
vm.stopPrank();
deal(address(wbtc), alice, DEPOSIT_AMOUNT);
assertEq(wbtc.balanceOf(alice), DEPOSIT_AMOUNT, "Alice should have initial balance");
}
function test_CannotSignUpOthers() public {
vm.startPrank(alice);
wbtc.approve(address(cd), DEPOSIT_AMOUNT);
cd.deposit(address(wbtc), DEPOSIT_AMOUNT);
vm.stopPrank();
assertTrue(cd.getParticipationStatus(alice), "Alice should be a participant");
assertFalse(cd.getParticipationStatus(bob), "Bob should not be a participant");
}
function test_DepositOnlyAffectsSender() public {
vm.startPrank(alice);
wbtc.approve(address(cd), DEPOSIT_AMOUNT);
vm.expectEmit(true,true,true,true);
emit ChristmasDinner.NewSignup(alice, DEPOSIT_AMOUNT, true);
emit ChristmasDinner.NewSignup(bob, DEPOSIT_AMOUNT, true);
cd.deposit(address(wbtc), DEPOSIT_AMOUNT);
vm.stopPrank();
}
}
</details>
**Recommended Mitigation:** Add participant parameter to allow signing up other users
```javasscript
function deposit(
address _token,
uint256 _amount,
address _participant
) external beforeDeadline {
if(_token == address(0)) revert ZeroAddress();
if(_participant == address(0)) revert ZeroAddress();
if(_amount == 0) revert ZeroAmount();
if(!whitelisted[_token]) revert NotSupportedToken();
bool isNewParticipant = !participant[_participant];
if(isNewParticipant) {
participant[_participant] = true;
}
balances[_participant][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
if(isNewParticipant) {
emit NewSignup(_participant, _amount, getParticipationStatus(_participant));
} else {
emit GenerousAdditionalContribution(_participant, _amount);
}
}
```
Updates
Lead Judging Commences
0xtimefliez about 1 year ago
Submission Judgement Published Assigned finding tags:
Deposit function lacks functionality
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.