DoS due to winner calculation error when user requests refunds
Summary
DoS situation when a user withdraws from the raffle but the length remains the same.
Vulnerability Details
When a user enters the raffle, the player gets pushed to the player array, thus increasing the players length. And when that same user requests a refund through the function refund(...), only the address at that player index gets zeroed, but the length still remains the same.
Thus, when the function selectWinner(...) is called, it calculates the totalAmountCollected based on the player length and entranceFee, where the player length may be higher than the actual number of players in the raffle, thus either the owner getting paid less (as only winner gets paid immediately), or even a DoS like situation where the prizePool calculated is higher than the contract balance.
Impact
DoS for winner
Lower fees for owner
Tools Used
Manual Review
Recommendations
Better accounting of users is required, instead of simply using the length method. While removing a user, a simple way would be to swap that player with the last player in the array, and then simply pop the last element in the array.
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.