Submission Details
Severity:
The `ChristmasDinner::Deposit` funcion does not allow a user to sign-up others.
The ChristmasDinner::Deposit funcion does not allow a user to sign-up others.
Description
Per the @dev natspec of function ChristmasDinner::Deposit, users should be able to sign-up other users but this is not the case, as only msg.sender is added into the participant mapping.
Impact
Participants cannot sign up friends, reducing the utility of the contract.
Proof of Concepts
The function offers no option to add an address paramater for signing up other users besides msg.sender.
Recommended mitigation
Add the following change to the code.
function deposit(address _token, uint256 _amount, address _friend) external beforeDeadline {
if (!whitelisted[_token]) {
revert NotSupportedToken();
}
// Determine if the user is signing up themselves or a friend
+ address participantAddress = (_friend == address(0)) ? msg.sender : _friend;
// Update the participation and balance for the participant
+ if (participant[participantAddress]) {
- if(participant[msg.sender]){
// If already a participant, treat as an additional contribution
+ balances[participantAddress][_token] += _amount;
- balances[msg.sender][_token] += _amount;
IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
+ emit GenerousAdditionalContribution(participantAddress, _amount);
- emit GenerousAdditionalContribution(msg.sender, _amount);
} else {
// Sign up the new participant
+ participant[participantAddress] = true;
- participant[msg.sender] = true;
+ balances[participantAddress][_token] += _amount;
- balances[msg.sender][_token] += _amount;
+ IERC20(_token).safeTransferFrom(msg.sender, address(this), _amount);
+ emit NewSignup(participantAddress, _amount, getParticipationStatus(participantAddress));
- emit NewSignup(msg.sender, _amount, getParticipationStatus(msg.sender));
}
}
Updates
Lead Judging Commences
0xtimefliez 10 months ago
Submission Judgement Published Assigned finding tags:
Deposit function lacks functionality
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.