First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy Vulnerability in `selectWinner` and `refund`

nisedo

Vulnerability Details

The contract is vulnerable to reentrancy attacks due to the use of the call method for transferring Ether in both the selectWinner and refund functions. The call method forwards all available gas, which can be exploited by a malicious contract to re-enter the contract:

In selectWinner:

function selectWinner() external {
// ... (omitted code for brevity)
(bool success,) = winner.call{value: prizePool}("");
require(success, "PuppyRaffle: Failed to send prize pool to winner");
// ... (omitted code for brevity)
}

In refund:

function refund(uint256 playerIndex) public {
// ... (omitted code for brevity)
payable(msg.sender).sendValue(entranceFee);
// ... (omitted code for brevity)
}

Impact

  • Disruption of Contract Functionality: Reentrancy attacks can disrupt the normal flow of the contract, impacting its functionality and reliability.

  • Loss of User Trust: Such vulnerabilities can lead to significant financial losses for users and damage the reputation of the contract creators.

Recommendations

  • Employ Reentrancy Guard Mechanisms: Implement a reentrancy guard by using modifiers that prevent re-entrant calls.

Updates

Lead Judging Commences

patrickalphac Lead Judge
about 2 years ago
Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

reentrancy-in-refund

reentrancy in refund() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!