Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

[H-3] `ChristmasDinner::refund` Function Lacks Participation Status Check

zabid

Summary

The refund() function does not check the participant mapping to verify if the caller is an active participant. Users with a false participation status can still call refund() to reclaim their contributions.

Vulnerability Details

This test was added to the ChristmasDinnerTest.t.sol

  1. A participant calls deposit() and then changeParticipationStatus() to set their status to false.

  2. The same participant calls refund() and successfully reclaims their funds.

function testFundersCanRefund() public {
vm.startPrank(user1);
cd.deposit(address(weth), 1e18);
assertEq(cd.getParticipationStatus(user1), true);
cd.changeParticipationStatus();
assertEq(cd.getParticipationStatus(user1), false);
cd.refund();
vm.stopPrank();
}

Participants(Funders) who change their participant Status can still call Refund

Impact

Non-participants or those who have opted out of the event can exploit this to reclaim funds they are no longer entitled to, leading to potential misuse of funds.

Tools Used

Manual review

Recommendations

The refund function should be updated

function refund() external nonReentrant beforeDeadline {
+ require(isParticipant[msg.sender], "Not an active participant");
address payable _to = payable(msg.sender);
_refundERC20(_to);
_refundETH(_to);
emit Refunded(msg.sender);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.