Submission Details
Severity:
When signing-up by sending ether to the contract directly, the `participant` mapping is never updated to count the participation
Description The ChristmasDinner::receive function does not update the participant mapping when being triggered, it only updates the etherBalance mapping.
Impact
Users who sign up by sending ETH directly to the contract are not added to the dinner, not counting their intended participation.
Proof of Concepts
Add the followiing test to ChristmasDinnerTest.t.sol file.
function test_signingUpBySendingEtherDoesntAddTheParticipant() public {
address payable _cd = payable(address(cd));
vm.deal(user1, 10e18);
vm.prank(user1);
// The user sends ETH directly
(bool sent,) = _cd.call{value: 1e18}("");
require(sent, "transfer failed");
//Their intended participation is not included
assert(cd.getParticipationStatus(user1) == false);
}
Recommended mitigation
Add the following change to the code.
receive() external payable {
etherBalance[msg.sender] += msg.value;
+ participant[msg.sender] = true;
emit NewSignup(msg.sender, msg.value, true);
}
Updates
Lead Judging Commences
0xtimefliez 12 months ago
Submission Judgement Published Assigned finding tags:
receive does not update participation status
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.