Precision Loss when calculating `prizePool`
The prizePool is calculated in PuppyRaffle::selectWinner using a divide by 100. This value can have decimals which will be lost as uint256 cannot handle decimal values. Since prizePool is a uint256 value, any decimal portion will be truncated due to floor division in Solidity.
Vulnerability Details
In PuppyRaffle::selectWinner, on line 132, the prizePool is determined using the following calculation:
If totalAmountCollected * 80 is not exactly divisible by 100, there will be a precision less due to uint256 not being able to handle decimal values and the prizePool will be truncated. The remaining funds lost due to the truncation will be locked within the contract.
Impact
The prizePool will be smaller than the true amount, up to 99 Wei and the remaining funds locked in the contract. The winner will be sent a smaller prize than expected.
This will lead to a denial of service calling withdrawFees() as the contract balance will not be equal to totalFees even if no players are active. See issue "Unable to withdraw fees if contract balance is non-zero when no players are active" for more details. Based on the values in the deploy script of 1 ether for he entranceFee, this is unlikely but if the script is ever modified to use smaller units of value, this would have a high impact. This is therefore a medium-severity issue.
Recommended Mitigation
To mitigate the precision loss in the prizePool calculation, use fixed-point arithmetic. Use a FixedPoint library, e.g. from OpenZeppelin, for fixed-point arithmetic. This library is only compatible with Solidity versions 0.8.0 or later so the Solidity version will need to be updated.
Tools Used
Forge
Lead Judging Commences
loss of precision
like 1 wei
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.