Missing Update of deadlineSet Flag Allows Unlimited Changes
Summary
In the current implementation of the setDeadline function, the flag deadlineSet is never updated to true after the deadline is successfully set. This issue allows the host to modify the deadline an unlimited number of times, bypassing the intended restriction that should prevent further changes once the deadline is set.
Vulnerability Details
The setDeadline function is designed to allow the host to set the event deadline. The logic checks whether the deadlineSet flag is true, and if it is, reverts the transaction. However, the flag deadlineSet is never updated after a successful deadline change. This oversight means that the host can continue to modify the deadline without any restrictions, even after an initial deadline is set.
Impact
The flag deadlineSet is meant to prevent the host from modifying the deadline once it has been set. Since the flag is not updated after setting the deadline, the host can call the setDeadline function repeatedly to change the deadline, potentially manipulating the event timing to their advantage.
Tools Used
Manual
Recommendations
To fix this vulnerability, the deadlineSet flag should be updated to true when the deadline is successfully set. This will ensure that subsequent attempts to modify the deadline are blocked.
Lead Judging Commences
deadline is never set to true
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.