First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Total entrance fee can overflow leading to the user paying little to nothing

robbiesumner

Summary

Calling PuppyRaffle::enterRaffle with many addresses results in the user paying a very little fee and gaining an unproportional amount of entries.

Vulnerability Details

PuppyRaffle::enterRaffle does not check for an overflow. If a user inputs many addresses that multiplied with entranceFee would exceed type(uint256).max the checked amount for msg.value overflows back to 0.

function enterRaffle(address[] memory newPlayers) public payable {
=> require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
...

To see for yourself, you can paste this function into PuppyRaffleTest.t.sol and run forge test --mt testCanEnterManyAndPayLess.

function testCanEnterManyAndPayLess() public {
uint256 entranceFee = type(uint256).max / 2 + 1; // half of max value
puppyRaffle = new PuppyRaffle(
entranceFee,
feeAddress,
duration
);
address[] memory players = new address[](2); // enter two players
players[0] = playerOne;
players[1] = playerTwo;
puppyRaffle.enterRaffle{value: 0}(players); // user pays no fee
}

This solidity test provides an example for an entranceFee that is slightly above half the max uint256 value. The user can input two addresses and pay no fee. You could imagine the same working with lower base entrance fees and a longer address array.

Impact

This is a critical high-severity vulnerability as anyone could enter multiple addresses and pay no fee, gaining an unfair advantage in this lottery.

Not only does the player gain an advantage in the lottery. The player could also just refund all of his positions and gain financially.

Tools Used

  • Manual review

  • Foundry

Recommendations

Revert the function call if entranceFee * newPlayers.length exceeds the uint256 limit. Using openzeppelin's SafeMath library is also an option.

Generally it is recommended to use a newer solidity version as over-/underflows are checked by default in solidity >=0.8.0.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

entrance fee can overflow (* # of players)

You'd have to have a TON of money for this to happen. IMPACT: HIGH LIKELIHOOD: VERY LOW

robbiesumner Submitter
about 2 years ago
patrickalphac Lead Judge
about 2 years ago
robbiesumner Submitter
about 2 years ago
Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

entrance fee can overflow (* # of players)

You'd have to have a TON of money for this to happen. IMPACT: HIGH LIKELIHOOD: VERY LOW

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

entrance fee can overflow (* # of players)

You'd have to have a TON of money for this to happen. IMPACT: HIGH LIKELIHOOD: VERY LOW

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!