Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Refund Function Does Not Update Participation Status

bryanconquer

Summary

The refund function in the ChristmasDinner contract processes refunds for participants but fails to update their participation status. As a result, users who have withdrawn their contributions are still marked as active participants (participant[msg.sender] = true), leading to inconsistent state and potential misuse.

Vulnerability Details

function refund() external nonReentrant beforeDeadline {
address payable _to = payable(msg.sender);
@audit > no state update
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}

Impact

Inaccurate Event Management: Users marked as participants might be considered part of the event even after withdrawing their funds.

Tools Used

manual review.

Recommendations

Modify the refund function to update the participant status to false after processing the refund.

Updated refund Function:

function refund() external nonReentrant beforeDeadline {
address payable _to = payable(msg.sender);
// Refund ERC20 tokens and Ether
_refundERC20(_to);
_refundETH(_to);
// Update participant status to false
participant[msg.sender] = false;
emit Refunded(msg.sender);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

refund does not update participation status

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.