Submission Details
Severity:
Missing check for `zero` address in `ChristmasDinner:recieve` function.
Summary:
`ChistmasDinner:recieve` function is not checking that who is the participant, Weather it is real person or zero address, can participate.
```javascript
receive() external payable {
@> etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}
```
By exploiting this missing check malicious user can become host and lock all the funds.
Impact:
`Zero address` or `malicious contract` can participate and become host, lead to lock all the ETH funds in contract.
Proof of concept:
Add this to `ChristmasDinnerTest.t.sol`
Code:
```javascript
function testZeroAddressCanparticipate() public {
address payable hacker = payable(address(0));
vm.deal(hacker, 10e18);
vm.prank(hacker);
(bool sent,) = address(cd).call{value: 1e18}("");
require(sent, "transfer failed");
assertEq(hacker.balance, 9e18);
assertEq(address(cd).balance, 1e18);
}
```
Recommendations:
The Zero address check can be added to `recieve` function.
```diff
receive() external payable {
+ if(msg.sender == address(0)) {
+ revert();
+ }
etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}
```
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.