Submission Details
Severity:
[H-06] User sending ether to the contract is not registered as participant
Description:
ChristmasDinner::receive() does not register the address of the doner as a participant breaking the contract promise.
receive() external payable {
@> etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}
Impact:
Impact: Hight. Funds are sent to the contract and the user will not be registered. It breaks the contract logic.
Likelyhood: High. If a user sends only ether to the contract he will not be registered for the dinner and will not be able to attend.
Proof of Concept:
function test_depositEtherAndBecomeParticipant() public {
address payable _cd = payable(address(cd));
vm.deal(user1, 10e18);
vm.prank(user1);
(bool sent, ) = _cd.call{value: 1e18}("");
require(sent, "transfer failed");
assertEq(user1.balance, 9e18);
assertEq(address(cd).balance, 1e18);
assertEq(cd.getParticipationStatus(user1), true);
}
user1 is not on the participant list after sending ether to the contract.
Recommended Mitigation:
add the address to participation list.
receive() external payable {
+ participant[msg.sender] = true;
etherBalance[msg.sender] += msg.value;
emit NewSignup(msg.sender, msg.value, true);
}
Updates
Lead Judging Commences
0xtimefliez 7 months ago
Submission Judgement Published Assigned finding tags:
receive does not update participation status
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.