Submission Details
Severity:
It is possible to enter event by changing the status and never have to deposit the funds
Description:
Anyone can enter the event can just by changing the participant status by using ChristmasDinner::changeParticipationStatus() function. And they would not need to donate the funds.
Impact:
The event organisers would fail short on funds in order to run the event properly which will create problems for participants.
Proof of Concept:
function test_changetheStatusonly() public {
vm.prank(user1);
cd.changeParticipationStatus();
// the participants status will show ture even though participant has never donated the funds
assertEq(cd.getParticipationStatus(user1), true);
}
Recommended Mitigation:
function changeParticipationStatus() external {
+ require(
+ balances[msg.sender][address(i_WBTC)] > 0 ||
+ balances[msg.sender][address(i_WETH)] > 0 ||
+ balances[msg.sender][address(i_USDC)] > 0 ||
+ etherBalance[msg.sender] > 0,
+ "Cannot change the status without sending the funds first"
+ );
...
}
Updates
Lead Judging Commences
0xtimefliez 8 months ago
Submission Judgement Published Assigned finding tags:
usage of change participation logic circumvents deposit
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.