Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-1] `ChristmasDinner::deposit` lacks zero token deposit check, making participant evade paying on Sign up

zabid

Summary

The contract allows users to contribute zero token on sign up, effectively letting them register as participants without making any financial commitment and doesn't allow the host to plan properly

Vulnerability Details

This test was added to the ChristmasDinnerTest.t.sol

  1. Call deposit() with a whitelisted token and _amount = 0.

  2. Observe that the user is added as a participant without transferring any tokens.

function testParticipantDepositZeroToken() public {
vm.startPrank(user1);
cd.deposit(address(weth), 0);
assertEq(cd.getParticipationStatus(user1), true);
bool status = cd.getParticipationStatus(user1);
console.log(status);
}

Ran 1 test for test/ChristmasDinnerTest.t.sol:ChristmasDinnerTest
[PASS] testParticipantDepositZeroToken() (gas: 62499)
Logs:
true

Impact

Participants can sign up for free without making any contribution. This undermines the contract's purpose of collecting funds for the event, causing budgeting issues for the host and creating a potential loophole for free participation.

Tools Used

Manual Review

Recommendations

The deposit function need to have this check:

function deposit(address _token, uint256 _amount) external beforeDeadline {
+ require(_amount > 0, "Contribution must be greater than zero");
if(!whitelisted[_token]) {
revert NotSupportedToken();
}
...
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.