Submission Details
Severity:
User can deposit `0` funds into the contract and become a participant
Summary
Due to the `ChristmasDinner::deposit` function lacking a zero amount check, a user can deposit zero funds into the contracts and become a participant which severely breaks the functionality of the protocol. A user can sneak into the christmas dinner party without even paying any token.
Vulnerability Details
Add the following to the test suite and run `forge test --mt test_depositZeroAmount`
```javascript
function test_depositZeroAmount() public {
vm.warp(1 + 3 days);
vm.startPrank(user1);
// vm.expectEmit();
cd.deposit(address(wbtc), 0);
assertEq(wbtc.balanceOf(address(cd)), 0);
assertEq(cd.getParticipationStatus(user1), true);
console.log("participation status with zero amount", cd.getParticipationStatus(user1));
vm.stopPrank();
}
```
Impact
Malicious users can become a participant and attend the christmas dinner event for free.
Tools Used
foundry, manual analysis
RecommendationsInclude a zero amount check in the `ChristmasDinner::deposit` function.
if(_amount == 0){
revert AmountCannotBeZero();
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.