Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

`ChristmasDinner::changeParticipationStatus()` has no balance checks, meaning non-funders can become participants

owanemi

Summary

the function changeParticipationStatus(), is set as an external function with no deposited balance checks, meaning non-funders can become participants, which opposes the contract's logic as stated in the Actors section of the docs: Participant: Attendees of the event which provided some sort of funding.

Vulnerability Details

allowing non-funders to become participants will disrupt's the event’s organization which can lead to malicious actors in the contract and users who did not provide any funding benefiting from the event without contributing, disrupting both the host's control over participation and the contract's intended logic.

Impact

anyone can become a participant, distorting the contract's intended functionality for overall event organization

Tools Used

Manual Review, Foundry

Recommendations

Add a balance check before changing the state of the participant

function changeParticipationStatus() external {
if(participant[msg.sender]) {
participant[msg.sender] = false;
} else if(!participant[msg.sender] && block.timestamp <= deadline) {
+ bool hasBalance = etherBalance[msg.sender] > 0 ||
+ balances[msg.sender][address(i_WETH)] > 0 || balances[msg.sender][address(i_WBTC)]
+ || balances[msg.sender][address(i_USDC) > 0];
+ if(!hasBalance) {
+ revert("you dont have deposit in contract");
+ }
participant[msg.sender] = true;
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usage of change participation logic circumvents deposit

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!