Participant Signup Allowed Without Making Deposit
Summary
Participants are able to signup for the event without making any deposit.
Vulnerability Details
The changeParticipationStatus() function allows individuals to signup (by setting their participation status to true) without making a deposit. This is because the else if statement just checks to see if the caller's status is currently false and if the deadline has passed. Since participant is a mapping(address => boolean)the default boolean value for any address will be false. This will allow any new callers to satisfy the first check !participant[msg.sender]. As long as the deadline has not passed the second check will also be satisfied resulting in the expression returning true. This will then allow the caller to set their particpation status to true while bypassing the deposit() function.
Impact
This will allow users to attend the event while not having to pay.
Tools Used
Foundry test:
Recommendations
Update the else if statment such that it verifies that the caller had previously made a deposit before changing their status from false back to true.
Lead Judging Commences
usage of change participation logic circumvents deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.