`Host` can prevent participants from refunding their `Deposits`
Summary
The Host can prevent participants who deposited in various ERC20 tokens from refunding their deposits.
https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L194
https://github.com/Cyfrin/2024-12-christmas-dinner/blob/9682dcc306db935a2511e1eb8280d17ef01e9004/src/ChristmasDinner.sol#L137
Vulnerability Details
When the host calls the christmasDinner::withdraw function, it will wipe the contract's balance in different tokens. Consequently, when a user attempts to refund their deposit, the transaction will revert because the contract has no tokens left.
PoC
use this test in
christmasDinnerTest.t.solfunction testHostCanPreventUsersFromRefunding() public {vm.prank(user1);cd.deposit(address(usdc),1e18);vm.prank(user2);cd.deposit(address(weth),1e18);assertEq(usdc.balanceOf(address(cd)),1e18);assertEq(weth.balanceOf(address(cd)),1e18);vm.warp(2 days);// user 1 after 2 days want to refund his deposit but he can't// Because deployer withdraw all tokensvm.prank(deployer);cd.withdraw();vm.expectRevert();vm.prank(user1);cd.refund();}
Impact
Users cannot claim refunds using the
christmasDinner::refundfunction and recover their deposits.
Tools Used
IDE
Manual Review
Recommendations
The
christmasDinner::withdrawfunction should only be callable after thedeadlinehas passed.
Lead Judging Commences
withdraw is callable before deadline ends
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.