The receive()
function is vulnerable to reentrancy attacks due to state updates occurring after ETH transfers and lack of reentrancy protection.
The receive()
function updates state after receiving ETH:
This violates the checks-effects-interactions pattern and lacks reentrancy protection.
Critical: Potential manipulation of participation status
Multiple participation records from single deposit
Balance tracking manipulation
Event spam possible
Foundry for testing and exploitation
Manual code review
Reentrancy exploit test:
Add nonReentrant modifier to receive():
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.