Unauthorized Modification of User Participation Status
Summary
A user can modify their participationStatus without calling the christmasDinner::deposit function, bypassing the intended workflow and gaining unauthorized access to the event.
Vulnerability Details
The christmasDinner::changeParticipationStatus function can be called directly by any user, bypassing the christmasDinner::deposit function. This allows users to modify their participationStatus and participate in the event as depositors without make a deposit or follow the protocol user flow.
Impact
Users can participate in the event for free.
Unauthorized users can become eligible to be the new host.
PoC
-
use this test in
christmasDinnerTest.t.solfunction testUserCanChangeStatusWithoutCallingDeposit() public {assertEq(cd.getParticipationStatus(user1),false);vm.prank(user1);cd.changeParticipationStatus();assertEq(cd.getParticipationStatus(user1),true);}
Tools Used
IDE
Manual Review
Recommendations
There are ton of ideas to mitigate this such as :
create a mapping to track people who called
depositfunction and add it as condition inchangeParticipationStatusMake a condition that the balance of caller > 0
Lead Judging Commences
usage of change participation logic circumvents deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.