Submission Details
Severity:
changeParticipationStatus function allows the registration of a user without payment
Summary
according to natspec changeParticipationStatus::ChristmasDinner supports not attending without a refund, also allows many changes of mind. But strictly enforces that false can not be changed to true after the deadline.
The else if allows a non member to be registered without paying within the deadline duration
function changeParticipationStatus() external {
if(participant[msg.sender]) {
participant[msg.sender] = false;
@> } else if(!participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}
Impact
signing up of members without payment
Tools Used
Manual Review
Recommendations
the balance of msg.sender should be checked
else if(!participant[msg.sender] && block.timestamp <= deadline) {
+ if(balances[msg.sender][address(i_WETH)]> 0 ||
+ balances[msg.sender][address(i_WBTC)]> 0 ||
+ balances[msg.sender][address(i_WBTC)]> 0 ||
+ etherBalance[_to] >0
){
participant[msg.sender] = true;
}
}
Updates
Lead Judging Commences
0xtimefliez about 1 year ago
Submission Judgement Published Assigned finding tags:
usage of change participation logic circumvents deposit
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.