Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Proper Access Control in `setDeadline` Function

Deleted user

[HIGH-1] Lack of Proper Access Control in setDeadline Function

Severity: High

Description:
The setDeadline function is currently callable by any user, allowing them to arbitrarily reset the deadline for deposits and refunds. This opens the door for malicious actors to disrupt the intended flow of the contract by extending or reducing the deadline to suit their personal interests.

function setDeadline(uint256 newDeadline) public {
// No access control to restrict who can set the deadline
deadline = newDeadline;
}

Impact:
Malicious users could potentially block participants from claiming refunds or making deposits, resulting in financial losses and undermining trust in the system.

Proof of Concept:
The following test demonstrates that a non-owner can change the deadline:

function test_non_owner_can_set_deadline() public {
vm.startPrank(user1); // Simulate a call from user1
uint256 newDeadline = 10 days;
cd.setDeadline(newDeadline); // No revert
vm.stopPrank();
// Verify the new deadline
assertEq(cd.deadline(), newDeadline);
}

Recommended Mitigation:
Restrict access to the setDeadline function by using the onlyHost modifier already defined in the contract. This ensures that only the designated host can modify the deadline:

function setDeadline(uint256 newDeadline) public onlyHost {
deadline = newDeadline;
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.