Bypassing Payment Requirement for Participation Through Direct Function Call
Summary
The intended behavior is that a new member must pay amount to become a participant. However, a vulnerability allows a new member to directly call the changeParticipationStatus function and gain participant status without sending or paying any amount.
Vulnerability Details
The changeParticipationStatus function lacks proper validation to ensure that participant status is updated only after payment. As a result, an attacker can directly invoke this function to bypass the payment process and obtain participant status without fulfilling the payment requirement.
Impact
This vulnerability enables unauthorized users to participate in the event without making the required payment, potentially leading to financial losses and undermining the fairness of the system.
Tools Used
Foundry
Recommendations
Add a validation check in the changeParticipationStatus function to ensure that only participants who have successfully registered and paid the required amount can update their status.
Lead Judging Commences
usage of change participation logic circumvents deposit
Appeal created
usage of change participation logic circumvents deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.