receive() function does not track "participation status"
Summary
The receive() function, responsible for Ether signups, does not set the participant status as true; in other words, it is not marking(registering) that the user is now a participant. It just emits an event NewSignup and updates the balance, thus leading to the user not being fairly marked as a participant even after sending funds.
Vulnerability Details
The receive() function fails to properly register participants when they send ETH directly to the contract. While the function updates the user's ETH balance and emits a NewSignup event, it critically fails to set participant[msg.sender] = true, unlike the token deposit function. This creates a discrepancy between the user's financial contribution and their participation status.
Impact - High
-
Users sending ETH directly to the contract won't be registered as participants despite their contribution
-
These users may be unable to:
Participate in the event despite having sent funds
Be eligible for host duties (since host must be a participant)
-
Misleading event emission showing participation (
NewSignupwithtrue) while actual state doesn't reflect this
Tools Used
Manual Review
Recommendations
Lead Judging Commences
receive does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.