Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

[M-2] Participation Status Not Updated Post Refund leading to inaccurate Participation records

zabid

Summary

The refund() function does not update the participant mapping to set the caller’s participation status to false after they have reclaimed their funds.

Vulnerability Details

This test was added to the ChristmasDinnerTest.t.sol

  1. A participant calls refund() and reclaims their funds.

  2. Call getParticipationStatus() for the participant. It still returns true.

function testParticipationStatusAfterRefund() public {
vm.startPrank(user1);
cd.deposit(address(weth), 1e18);
assertEq(cd.getParticipationStatus(user1), true);
cd.refund();
bool status = cd.getParticipationStatus(user1);
console.log(status);
}

The participant status remained true after the refund

Logs:
true

Impact

Participants who call refund() remain marked as active participants, leading to potential inconsistencies and misuse in subsequent checks or actions. For example, refunded participants could still appear eligible for certain privileges, affecting the event’s organization.

Tools Used

Manual review

Recommendations

Update the participant's status during the refund process:

function refund() external nonReentrant beforeDeadline {
address payable _to = payable(msg.sender);
_refundERC20(_to);
_refundETH(_to);
+ participant[msg.sender] = false;
emit Refunded(msg.sender);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

refund does not update participation status

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.