Refund function does not update participant status, allowing non-contributors to become host
Summary
The refund() function does not update the participant mapping after refunding a user's funds. This allows refunded users, who no longer have any financial stake in the event, to retain their participant status. Such users can still be considered participants and are eligible to become the host, enabling them to potentially extract all funds from the contract.
Vulnerability Details
The refund() function enables users to withdraw their funds if they decide not to participate in the event. However, the participant mapping is not updated during the refund process, leaving the user marked as a participant even after receiving a full refund. Now, if the host is not careful enough he can change the host to this participant who is not part of the event anymore, giving him the opporunity to steal all funds from the contract.
POC
Add the following test to the ChristmasDinnerTest contract:
Even after refund the user is still a participant and eligible to become a new host.
Impact
Users who have refunded their contributions are still considered participants, leading to misleading representation in the contract.
A refunded user could illegitimately become the host, gaining control over protocol funds and the event organization.
The intent of the protocol to grant host privileges only to genuine participants who have contributed to the event is flawed.
Tools Used
Manual review
Foundry
Recommendations
Update the participant mapping in the refund() function to remove the user’s participant status after a successful refund.
Lead Judging Commences
refund does not update participation status
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.