Submission Details
Severity:
Anyone can set themselves as participant without deposit in `changeParticipationStatus()`
Summary
changeParticipationStatus()Function allows anyone to become a participant without making any deposit, violating the core functionality where participation should be linked to a financial contribution.
Vulnerability Details
function changeParticipationStatus() external {
else if(!participant[msg.sender] && block.timestamp <= deadline) {
participant[msg.sender] = true; // No deposit verification
}
}
Anyone can set themselves as participant without deposit
Could be selected as host since only requirement is being participant
Breaks intended deposit-to-participate mechanism
Impact
Violates core business logic requiring deposits for participation
Could lead to non-contributing participants being selected as host
Tools Used
Manual Review
Recommendations
check for prior deposists
function changeParticipationStatus() external {
if(participant[msg.sender]) {
participant[msg.sender] = false;
} else if(!participant[msg.sender] && block.timestamp <= deadline) {
// Check for any prior deposits !!!!!!!!!!
if(balances[msg.sender][address(i_WETH)] > 0 ||
balances[msg.sender][address(i_WBTC)] > 0 ||
balances[msg.sender][address(i_USDC)] > 0 ||
etherBalance[msg.sender] > 0) {
participant[msg.sender] = true;
} else {
revert("Must deposit first");
}
} else {
revert BeyondDeadline();
}
emit ChangedParticipation(msg.sender, participant[msg.sender]);
}
Updates
Lead Judging Commences
0xtimefliez 10 months ago
Submission Judgement Published Assigned finding tags:
usage of change participation logic circumvents deposit
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.