Vulnerability in receive() Function: Missing Participant Status Update
Summary
In the current implementation of the receive() function, when a user sends Ether to the contract, the participant mapping does not update the user's participation status to true. This omission prevents the contract from correctly tracking the user's participation in the event, despite the user sending Ether to join.
Vulnerability Details
The receive() function allows users to send Ether to the contract to participate in the event. However, while the Ether sent by the user is recorded in the etherBalance mapping, the participant mapping, which tracks whether a user is participating, is not updated. This means that users who send Ether to join the event will not be marked as participants, and as a result, they may be unable to access certain functionality intended for participants, such as receiving refunds or changing their participation status.
Impact
The contract fails to update the participant mapping when users send Ether to join the event. As a result, users who contribute Ether are not correctly registered as participants, which may lead to issues such as:
Inability to change participation status.
Inability to receive a refund if they choose not to attend.
Lack of access to functionality meant for participants
Tools Used
Manual
Recommendations
To resolve this issue, the contract should update the participant mapping when a user sends Ether, marking them as a participant. Additionally, emitting an event to confirm the update would provide a more transparent mechanism for tracking participants.
Lead Judging Commences
receive does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.