Fee address could receive less than what it should resulting in blocked funds
Vulnerability Details
The fees variable undergoes to a casting to a uint64() from a uint256() making it possible to
Let’s suppose that a raffle was correctly executed, having 100 players, with the entranceFee being 1e18,calculating the fee that the feeAddress should receive should be equal to 20000000000000000000, but because of these line in the code:
The fee variable is not correct because of the casting, instead of adding 20000000000000000000 (2e19) to totalFees it could only add this number: 1553255926290448384 (1.56e18),for perspective, it doesn't surpass 8% of what it should be.
And for the way of how the contract is written, it means that some parts of the balance of the contract will be completely unattainable. In the example of 100 players:
100000000000000000000
prizePool: 80000000000000000000 (8e19)
fees: 1553255926290448384 (1.56e18)
blocked funds: 1.84e19 wei (18 % of the balance)
The number of blocked funds increases for each raffle with more players, for a 1000 players the number of the funds (for that raffle) will be the equivalent of 19.8% of the total balance.
Impact
High - block of funds for feeAddress
Recommendations
Change the variable totalFees to be a uint256 to eliminate this issue, in this way;
And the issue will dissapear for calculating the total fees and no funds will be blocked
Lead Judging Commences
unsafe cast of fee to uint64
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.