Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Vulnerability in `ChristmasDinner:receive:` Participation Status Not Updated Upon Receiving Funds

s4bot3ur

Description

When users attempt to participate in the event by sending native ETH, the ChristmasDinner:receive function is triggered. While the function updates the user's balance, it fails to update their participation status, leaving them improperly registered as participants in the event.

Impact

When users pay with native ETH, their participation status is not updated, which undermines trust in the protocol and creates frustration for users.

Proof of Concept:

The below is the POC

function test_POC_receive()public{

address EXPLOITER=makeAddr("EXPLOITER");

startHoax(EXPLOITER,1 ether);

bool participation_status_before_change_pariticipation=cd.getParticipationStatus(EXPLOITER);

(bool check1,)=address(cd).call{value:1 ether}("");

require(check1,"Native ETH deposit failed");

bool participation_status_after_change_pariticipation=cd.getParticipationStatus(EXPLOITER);

console.log("Participation status before call :",participation_status_before_change_pariticipation);

console.log("Participation status after call :",participation_status_after_change_pariticipation);

}

Add the above code in the ChristmasDinnerTest.t.sol:ChristmasDinnerTest.
shell forge test --match-test test_POC_receive -vv
You will get output as folowing
- Participation status before call : false
- Participation status after call : false

Recommendations

Update the participation status within the receive() function to ensure that users who send native ETH are properly registered as participants. This will prevent the issue of unregistered participants and help maintain trust in the protocol.

receive() external payable {

+ participant[msg.sender]=true;

etherBalance[msg.sender] += msg.value;

emit NewSignup(msg.sender, msg.value, true);

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

receive does not update participation status

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.