DOS attack on 'withdrawFees' function
Summary
Potential Denial of Service (DoS) Attack with Fee Lock
Vulnerability Details
A malicious actor has the ability to initiate a Denial of Service (DoS) attack on the smart contract by forcibly sending Ether (ETH) to it. This action could disrupt the contract's logic that checks if address(this).balance equals uint256(totalFees). If additional ETH is sent to the contract outside of its standard operations, the balance could exceed the totalFees, making it impossible to meet the condition for withdrawals or other financial operations, especially when there are no active players.
Impact
This vulnerability could lead to the permanent locking of funds within the smart contract. Such an event would not only result in financial losses but could also damage user trust in the system's reliability and security.
Tools Used
Manual Review
Recommendations
Instead of 'require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");'
use require(players.length == 0)
Lead Judging Commences
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.