After refund there is no validation present to make the refunded person out of the dinner participation list.
Summary
The current implementation of the refund function allows participants to receive refunds for their deposits before the deadline. However, the function lacks integration with any mechanism to update the participant’s status after a refund. Specifically:
After calling the
refundfunction, a participant remains marked as active, allowing them to potentially exploit the system.This omission enables refunded individuals to retain their status as participants, which can result in unjustified privileges (e.g., attending events like a dinner or remaining eligible for rewards).
Vulnerability Details
Observe the refund function and there is no call to make the refunded participant out of the participation list for the dinner.
Impact
Refunded individuals can still attend events (e.g., dinners) without financial contribution, violating fairness and system rules.
Loss of funds: Hosts bear the cost of providing resources to non-contributing participants, causing monetary losses.
This vulnerability directly impacts financial sustainability, system integrity, and stakeholder confidence.
Tools Used
Manual
Recommendations
Lead Judging Commences
refund does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.