Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

H-1: Missing Validation for Minimum Deposit Amount

andrekkr

Summary

Both the deposit function and the receive function lack a minimum contribution check. The absence of such a check allows participants to register with zero value, either via _amount in the deposit function or via msg.value in the receive function. This undermines the protocol’s integrity by allowing users to bypass the intended minimum financial contribution.

Vulnerability Details

Root Cause:

  • The deposit function does not validate that _amount > 0 before processing the deposit.

  • The receive function does not validate that msg.value > 0 before adding ETH to the participant’s balance and registering them.

Expected Behavior:
Both functions should enforce a minimum contribution amount to ensure that participants contribute to the total funds.

Current Behavior:

  • The deposit function allows participants to register with _amount = 0.

  • The receive function allows participants to register with msg.value = 0.

Impact

This vulnerability compromises the event's financial integrity by allowing participants to register without meaningful contributions, which could lead to:

  1. Reduced Total Funds: Some participants might exploit this to avoid contributing while still benefiting from participation.

  2. Financial Planning Issues: Organizers cannot rely on the contributions to meet the event's funding goals.

  3. Exploitation via Bots: Automated bots could exploit this to register multiple zero-value participants, bloating the participant list.

Tools Used

  • Manual code review

  • Foundry

PoC

function testReceiveZeroValue() public {
vm.startPrank(user1);
vm.expectRevert();
(bool success, ) = address(cd).call{value: 0}("");
assertFalse(success, "Receive function accepted zero value.");
vm.stopPrank();
}
function testDepositZeroAmount() public {
vm.startPrank(user1);
vm.expectRevert();
contract.deposit(address(weth), 0);
vm.stopPrank();
}

Output

Running the test without the fix will show the function execution succeeds:

Test failed: deposit(0) did not revert as expected.

After the fix, the test will pass:


Test passed: deposit(0) reverted.

This PoC highlights that the lack of validation for _amount allows participants to bypass the financial contribution requirement.

Recommendations

1 - Add Validation for _amount: Update the deposit function to include a check for _amount > 0:

function deposit(address _token, uint256 _amount) external beforeDeadline {
if (_amount <= 0) {
revert InvalidAmount();
}
if (!whitelisted[_token]) {
revert NotSupportedToken();
}
if (participant[msg.sender]) {
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
participant[msg.sender] = true;
balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}

2 - Add Validation for msg.value in receive:
Update the receive function to reject zero-value contributions.

receive() external payable {
if (msg.value <= 0) {
revert InvalidAmount();
}
etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}

3 - Test Validation Logic: Add unit tests to ensure deposits with _amount <= 0 revert as expected.

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!