Receive Function Fails to Update Participant Status for Ether Deposits
Summary
The contract's receive() function does not properly update the participant mapping when users deposit ETH, breaking a core contract invariant where all depositors should be marked as participants. This creates inconsistency in participation tracking between ETH and ERC20 depositors.
Vulnerability Details
The receive() function is designed to handle ETH deposits and should track participation status similar to the deposit() function for ERC20 tokens. However, it only updates the ETH balance without marking the sender as a participant:
The function:
Updates etherBalance for the sender
Emits a NewSignup event with participation status as true
But critically fails to set participant[msg.sender] = true
This creates a mismatch with the ERC20 deposit flow where users are properly marked as participants:
Impact
The missing participant status update leads to:
ETH depositors cannot be assigned as host since the changeHost() function requires participant status
ETH depositors may be unable to change their participation status through changeParticipationStatus()
Inconsistent participant tracking making it difficult for the host to accurately track attendees
Misleading events that indicate participation when the state doesn't reflect it
Tools Used
Manual review
Recommendations
Update the receive() function to properly set participant status:
Additionally, consider:
Adding the beforeDeadline modifier to maintain consistency with deposit()
Adding a check to emit GenerousAdditionalContribution instead of NewSignup for repeat deposits
Lead Judging Commences
receive does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.