Missing Update of Participation Status After Refund in refund Function
Summary
The refund function allows users to withdraw their funds if they no longer wish to participate in the event. However, after the user successfully receives their refund, the participant mapping is not updated to reflect that the user is no longer participating. This oversight means that the contract will not properly track users who choose to withdraw, potentially allowing them to rejoin the event or improperly track their participation status
Vulnerability Details
The issue is located in the refund function:
Problem:
After the user calls the
refundfunction and receives their tokens back, the contract does not update theparticipantmapping to reflect the change in their participation status (fromtruetofalse).This means the contract will continue to consider the user as a participant even after they have withdrawn their funds, potentially leading to incorrect behavior in other functions, such as allowing them to rejoin the event after they have opted out.
Impact
The user's participation status is not updated, so the contract may incorrectly treat them as still participating, which could affect event logic.
Tools Used
Manual
Recommendations
The contract should be modified to update the participant mapping to false after a user successfully refunds. This will ensure the contract accurately tracks users who have opted out of the event.
Lead Judging Commences
refund does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.