Christmas Dinner

Summary

The refund() function in the ChristmasDinner contract lacks proper access control, allowing any address to call it regardless of whether they are a registered participant or not.

Vulnerability Details

The refund() function is designed to return deposited funds to participants who wish to withdraw from the Christmas dinner event. However, the function does not verify if the caller is actually a registered participant before processing the refund.

Current implementation:

The function only checks:

1. Reentrancy protection via nonReentrant

2. Deadline hasn't passed via beforeDeadline

It critically misses checking if participant[msg.sender] is true before processing the refund.

Impact

While the actual impact may be limited since the refund amount is based on recorded balances, this represents a significant security flaw that:

1. Allows unauthorized access to a privileged function

2. Wastes gas through unnecessary function calls and failed transfers

3. Could potentially be exploited if combined with other vulnerabilities

4. Pollutes the event logs with invalid Refunded events

Tools Used

• Manual review

Recommendations

Add a participant check at the start of the function:

Additionally:

1. Add a custom error NotParticipant() to the contract

2. Consider adding balance checks before attempting transfers

3. Update the participant status to false after successful refund