Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Social Event Smart Contract for Secure Funding

charyjatin

Summary

The ChristmasDinner contract collects upfront payments for event participation, ensuring proper planning. Key improvements include adding reentrancy protection, stricter deadline enforcement, and better host and fund management to enhance security and reliability.

Vulnerability Details

Reentrancy Risk in Ether Handling
- The receive() function is unprotected against reentrancy attacks. A malicious contract could exploit this during Ether transfers.
- Fix: Use the nonReentrant modifier or implement the Checks-Effects-Interactions (CEI) pattern.
Participation Changes After Deadline
- Users can still toggle participation from true to false after the deadline, which can disrupt event planning.
- Fix: Block all participation changes once the deadline has passed.
Ether Overflow Risk
- There's no limit on Ether deposits, which could lead to unintended large contributions.
- Fix: Add checks to validate deposit amounts.
Host Role Vulnerability
- The changeHost function assumes trust between participants, but a malicious new host could misuse funds.
- Fix: Add multi-signature approval or restrict host changes to specific conditions.
Token Whitelisting Risks
- If the whitelisted mapping is modified, unauthorized tokens might be accepted.
- Fix: Make the whitelist immutable or restrict changes to deployment time.
Locked Ether
- Accidental Ether transfers to the contract can only be recovered by the host.
- Fix: Add a fallback function to handle these cases.

Recommendations

Guard Ether Handling: Protect all Ether-related functions with reentrancy checks.
Strict Deadlines: Stop participation changes after the deadline.
Input Validation: Limit Ether and token deposits to prevent overflows.
Improve Host Security: Require multiple approvals for host changes.
Fix Whitelisting: Lock the whitelist to prevent unauthorized token deposits.
Handle Mistakes: Include a fallback to recover accidental Ether transfers.

These changes will make the contract more secure and user-friendly. Let me know if you want code adjustments!

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!