Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-2] `ChristmasDinner::withdraw` lacks deadline check, host can withdraw the funds before deadline, making uninterested participant unable to call `ChristmasDinner::refund`

zabid

Summary

The withdraw function does not check whether the deadline has passed before allowing the host to withdraw funds. This allows the host to withdraw funds before the deadline, potentially preventing participants from claiming refunds.

Vulnerability Details

The host calls the setDeadline function.
Before the deadline passes, the host calls the withdraw function.
Funds are withdrawn, and participants cannot get refunds.

This test was added to the ChristmasDinnerTest.t.sol
and it reverts with ERC20InsufficientBalance() error when the participant called refund

function testHostCanWithdrawWithinDeadline() public {

uint256 depositAmount = 1e18;

uint256 userBalanceBefore = weth.balanceOf(user1);

vm.startPrank(user1);

cd.deposit(address(weth), depositAmount);

assertEq(weth.balanceOf(address(cd)), depositAmount);

assertEq(weth.balanceOf(user1), userBalanceBefore - depositAmount);

vm.warp(1 + 3 days);

vm.startPrank(deployer);

cd.withdraw();

assertEq(weth.balanceOf(address(cd)), 0);

assertEq(weth.balanceOf(user1), userBalanceBefore- depositAmount);

assertEq(weth.balanceOf(deployer), depositAmount);

vm.stopPrank();

vm.startPrank(user1);

cd.refund();

}

Impact

Participants who decide not to attend may lose their deposits if the host withdraws the funds before the deadline. This breaks trust and the integrity of the contract.

Tools Used

Manual Review

Recommendations

Add a deadline check to the withdraw function to ensure funds are only accessible after the event signup period ends:

function withdraw() external onlyHost {

+ require(block.timestamp > deadline, "Cannot withdraw before deadline");

address _host = getHost();

...

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

withdraw is callable before deadline ends

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.