M1 - Unauthorized Participation Without Deposit
Summary:\
The changeParticipationStatus function allows anyone to become a participant without making a deposit. This creates a logical vulnerability that permits unauthorized users to attend the event without fulfilling payment requirements.
Vulnerability Details:\
The changeParticipationStatus function does not validate whether a deposit has been made before updating the participant's status. As a result, anyone can invoke this function and set their participation status to true, bypassing the intended payment requirement.
Affected Code:
Impact:\
The event host may need to accommodate a significantly higher number of attendees than expected.
Resources for the event could be strained due to the presence of unauthorized participants.
Genuine participants who have paid may experience a diluted event experience due to overcapacity.
Steps to Reproduce:\
Deploy the smart contract containing the changeParticipationStatus function.
Call the changeParticipationStatus function from any address without making a deposit.
Observe that the address is added as a participant despite not fulfilling any payment requirement.
Tools Used:\
Manual Review
Foundry Framework
Recommendation:\
Introduce a mapping to track payment status for each address and verify this status before updating participation status.
Lead Judging Commences
usage of change participation logic circumvents deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.