First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Fees are calculated wrong!

0x6a70

Summary

Fees are calculated based on players.length, but when a refund is made the address in the array is changed to address 0 instead of popping the array and removing the refunded address. This way the length of the array is remaining the same , but there are less tokens in the contract because the one address was refunded.
When the winner is selected he may receive less funds , or the call can fail which will revert the function.
Furthermore there is a downcasting of the fee variable which may lead to a loss of funds, also totalFee may overflow!

Vulnerability Details

Prizepool and fee calculation:

uint256 totalAmountCollected = players.length * entranceFee;
uint256 prizePool = (totalAmountCollected * 80) / 100;
uint256 fee = (totalAmountCollected * 20) / 100;

Downcasting:

totalFees = totalFees + uint64(fee);

Impact

High

Tools Used

Manual review

Recommendations

Keep track of refunded users , or pop the array when a refund is made.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!