ETH funds will be stuck in the contract after the deadline
Summary
Before the deadline, participants can request a refund for the ETH they contributed for the dinner.
However, after the deadline, participants can no longer claim refunds, and the host cannot withdraw the ETH.
As a result, any ETH remaining in the contract at the time of the deadline will be effectively locked within the contract (unless the deadline is updated).
Vulnerability Details
After the deadline the participants cannot get a refund:
The host can only withdraw token funds:
The deadline can be updated at anytime since DinnerChristmas::deadlineSet is never set to true. Updating the deadline will allow the ETH senders to request a refund for their ETH, however it will still not enable the host to withdraw the ETH.
Additionally, it is unclear whether it should be allowed for the deadline to be changed after it is initially set, as the contract defines a ChristmasDinner:DeadlineAlreadySet error, implying that after the first ChrismasDeadline::setDeadline call, ChristmasDeadline::deadlineSet should be set to true.
Impact
If any ETH is present in the contract when the deadline is reached, it will be unretrievable unless the deadline is updated.
Tools Used
Recommendations
In ChristmasDinner::withdraw, implement the withdrawal of ETH funds by the host.
Set ChrismasDinner::deadlineSet flag to true in ChristmasDinner::setDeadline if the deadline should not be allowed updates.
Lead Judging Commences
withdraw function lacks functionality to send ether
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.