Missing deadline check in receive() allows post-deadline participation
Summary
The receive() function, which handles Ether deposits, does not enforce a deadline check. As a result, users can send ETH (even zero-value transactions which is a known issue) and become participants after the deadline. While users cannot claim refunds after the deadline, this behavior undermines the protocol's intended time-bound participation rules and may result in confusion or mistrust among participants, especially when they are unable to refund their deposits.
Vulnerability Details
The receive() function enables users to deposit Ether and automatically become participants in the event. However, there is no validation to ensure that deposits occur only within the allowed deadline period. The contract’s current design assumes social conventions to manage participation, but allowing deposits after the deadline contradicts the intent of limiting participation to a specific timeframe. This could erode trust and confuse users, especially when they are unable to refund their deposits.
POC
Add the following test to the ChristmasDinnerTest contract:
Impact
Users may mistakenly believe they are legitimate participants after the deadline, only to discover they cannot refund their deposits.
Zero-value deposits post-deadline enable users to gain participant status without contributing.
The contract's logic to enforce a clear deadline for participation is flawed.
Tools Used
Manual review
Recommendations
Add a deadline check to the receive() function to enforce the participation cutoff. Reject deposits if the deadline has passed, ensuring users cannot become participants post-deadline.
Lead Judging Commences
receive() function independant from deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.