Submission Details
Severity:
Arithmetics unchecked
Summary
Arithmetic operation result can overflow or underflow causing the behaviour that is not expected.
Vulnerability Details
Example of overflow case in 'PuppyRaffle::selectWinner()': (Paste it in PuppyRaffleTest.t.sol and "forge test")
function testWithdrawFeesOverflow() public {
uint NUMBER_OF_PLAYERS = 100;
uint256 feeBeforeOverflow = 0;
uint256 feeAfterOverflow = 0;
for (int i = 0; i < 11; i++) {
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
address[] memory players = new address[](NUMBER_OF_PLAYERS);
for (uint i = 0; i < NUMBER_OF_PLAYERS; i++) {
players[i] = address(i + 1);
}
puppyRaffle.enterRaffle{value: entranceFee * NUMBER_OF_PLAYERS}(players);
puppyRaffle.selectWinner();
feeBeforeOverflow = puppyRaffle.totalFees();
//console.log("puppyRaffle totalFees = %uint", puppyRaffle.totalFees());
}
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
address[] memory players = new address[](NUMBER_OF_PLAYERS);
for (uint i = 0; i < NUMBER_OF_PLAYERS; i++) {
players[i] = address(i + 1);
}
puppyRaffle.enterRaffle{value: entranceFee * NUMBER_OF_PLAYERS}(players);
puppyRaffle.selectWinner();
feeAfterOverflow = puppyRaffle.totalFees();
console.log(feeAfterOverflow);
console.log(feeBeforeOverflow);
assertFalse(feeAfterOverflow > feeBeforeOverflow);
}
Impact
Some unexpected behaviour (fee will be lost, for example)
Tools Used
Foundry
Recommendations
Use OZ lib SafeMath or solidity compliler version 0.8.0+
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.