Unrestricted Participation Status Changes Enable Event Planning Disruption
Summary
The changeParticipationStatus() function allows users to toggle their participation status without any restrictions or cooldown period. This lack of rate limiting enables malicious participants to rapidly change their status, which can disrupt event planning and potentially cause denial of service by constantly changing the participant count.
Vulnerability Details
The changeParticipationStatus() function allows users to toggle their participation status without any restrictions, such as rate limiting or cooldown periods. This lack of control enables malicious users to rapidly change their status, disrupting event planning by artificially manipulating participant numbers. The event host cannot accurately plan, and the excessive state changes increase gas costs. This creates a potential attack vector for griefing, where malicious participants can repeatedly flip their status, destabilizing the event's planning process.
Impact
Event planning becomes unreliable as participant counts can be artificially manipulated
Host cannot accurately plan for the event due to unstable participant numbers
Increased gas costs for the contract due to excessive state changes
Event management becomes challenging as participants can change status unlimited times
Potential griefing attack vector where a malicious user could programmatically flip their status to disrupt planning
Tools Used
Foundry
Recommendations
Implement a cooldown period between status changes.
Consider implementing a maximum number of status changes per address.
Add a small fee for changing status multiple times to discourage abuse.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.