Christmas Dinner

Summary

The _refundETH function in the ChristmasDinner contract uses Solidity's native transfer method to send Ether to participants. However, the transfer method has a hardcoded gas stipend of 2300 gas, which may be insufficient for recipient contracts with non-trivial fallback functions. This opens the contract to a Denial of Service (DoS) attack, where a malicious participant could deploy a contract designed to revert whenever it receives Ether, blocking the refund process for all users.

Vulnerability Details

Function Affected:

Copy code

function _refundETH(address payable _to) internal { uint256 refundValue = etherBalance[_to]; _to.transfer(refundValue); // Vulnerable to DoS etherBalance[_to] = 0; }

The transfer function enforces a 2300 gas stipend for the recipient’s fallback function. If the recipient contract requires more gas or intentionally reverts, the transfer call fails, reverting the _refundETH function.

Steps to Exploit:

1. A malicious user deploys a contract with a fallback function that reverts when called:

   solidity

   Copy code

   contract Malicious { receive() external payable { revert("Reverting to cause DoS"); } }

2. The malicious user signs up as a participant and deposits Ether into the ChristmasDinner contract.

3. When the refund function is called, _refundETH attempts to refund the malicious contract using transfer. The transfer fails, and the refund process is halted.

Impact

Legitimate participants are unable to withdraw their refunds due to a single malicious participant.

• The contract's functionality is effectively frozen, as the refund function cannot complete successfully.

• This could lead to loss of trust and reputational damage for the contract.

Tools Used

Manual review

Recommendations