Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

The fallback() function could record wrong donors

jjhokins

Root + Impact

Description

  • The "fallback()" function intend to send out "SepEthDonated" event. But anyone calling a non-existent function on the contract will be recorded as a donor.
    So an attacker could keep calling a non-existent function without sending any sepolia eth, essentially disrupting further logic to handle the "SepEthDonated" event

// Any call to a non-existent function could trigger this fallback logic
fallback() external payable {
emit SepEthDonated(msg.sender, msg.value);
}

Risk

Likelihood:

  • This will happen every time a malicious user calls a a non-existent function

Impact:

  • This would result in a lot of "false donors", and maybe further logic to handle the "SepEthDonated" event

Proof of Concept

1. A malicious user calls a non-existent function of the contract, with no sep eth sent

2. The event SepEthDonated is sent and the user may be logged as a donor (with 0 amount)

Recommended Mitigation

+ event FallbackTriggered(address indexed user);
......
fallback() external payable {
- emit SepEthDonated(msg.sender, msg.value);
+ emit FallbackTriggered(msg.sender);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 14 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.