Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Manual `participant` Status Update Required for ETH Depositors

nem0thefinder

Summary

Depositors in ETH must manually change their participation status, as it is not set automatically.
https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L205

Vulnerability Details

When a user deposits ETH, they trigger the christmasDinner::receive function. However, unlike the christmasDinner::deposit function, the receive function does not set participant[msg.sender] = true. As a result, the user needs to manually update their participation status via the christmasDinner::changeParticipationStatus function to mark their status as true.

PoC

  • use this test in christmasDinnerTest.t.sol

function testDepostiorsInETHMustChangeStatusManually() public {
address payable _cd = payable(address(cd));
vm.deal(user1, 10e18);
vm.prank(user1);
(bool sent, ) = _cd.call{value: 1e18}("");
require(sent, "transfer failed");
vm.startPrank(user1);
// after the deposit status should automatically set to true
assertEq(cd.getParticipationStatus(user1),false);
// user must manually change his status
cd.changeParticipationStatus();
assertEq(cd.getParticipationStatus(user1),true);
}

Impact

  • If the user does not manually update their status, they will be considered a Funder instead of a Participant.

Tools Used

  • IDE

  • Manual Review

Recommendations

receive() external payable {
+ participant[msg.sender] = true
etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

receive does not update participation status

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!