Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Participant Status Update in Refund Function

mathew20h

Summary

This contract lacks a mechanism to properly update the participant status after a user refunds their ETH or ERC20 tokens before deadline. This can lead to users still being considered participants, even after they have refunded their tokens. The issue is present in both the ETH and ERC20 refund functions, which allow users to refund their tokens but fail to update the participant status accordingly.

The participation status is managed separately through the changeParticipationStatus() function, but this state update is not called in the refund() function after a participant is refunded.

Vulnerability Details

ETH Refund Function:

function _refundETH(address payable _to) internal {

uint256 refundValue = etherBalance[_to];

_to.transfer(refundValue);

etherBalance[_to] = 0;

}

When a participant refunds their ETH before deadline, their ETH balance is refunded via the _refundETH internal function.
However, there is no state update that modifies the participant mapping to reflect the change in participation status.
As a result, a user could still be considered a participant even after their ETH is refunded and they are no longer part of the event.
This creates a potential issue of users being wrongly treated as participants after they have effectively opted out.

ERC20 Refund Function:

Similarly, the _refundERC20 function allows users to refund their ERC20 tokens (e.g., WETH, WBTC, USDC) before deadline but does not update the participant status in that function. Users can refund all their tokens, but they remain in the system as participants, leading to unintended consequences such as accessing functions restricted to participants.

Impact

Users who request a refund before deadline will still be considered participants, which could lead to confusion or potential abuse, as they are still treated as participants.
The absence of state update in the refund function allows a user who has opted out to still appear as a participant.

Tools Used

Manually source code review.

Recommendations

Modify the refund() function to ensure that after a participant is refunded, their participation status is updated accordingly in the participant mapping.For example:

function refund() external nonReentrant beforeDeadline {

address payable _to = payable(msg.sender);

_refundERC20(_to);

_refundETH(_to);

// Explicitly mark user as no longer a participant after refund

participant[msg.sender] = false;

emit Refunded(msg.sender);

}

Ensure that the status is properly set to false when a user decides to refund their ETH / ERC-20 Tokens and opt out of the event.

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

refund does not update participation status

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!