First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Access Control in Key Functions

nisedo

Vulnerability Details

The contract lacks sufficient access control in key functions withdrawFees and selectWinner. These functions are currently public and do not have any explicit restrictions on who can call them. This oversight could lead to unauthorized access and manipulation.

function withdrawFees() external {
// ...
}
function selectWinner() external {
// ...
}

Impact

  • Manipulation of Winner Selection: Since selectWinner is publicly accessible without any additional checks, it could be called by anyone, including participants in the raffle. This could lead to manipulation of the winner selection process, especially when combined with other vulnerabilities like predictable randomness.

  • Unrestricted Withdrawal: The lack of access control in withdrawFees could allow any external account to trigger the withdrawal process, potentially leading to unauthorized fund movements or timing attacks.

Recommendations

  • Implement Role-Based Access Control: Restrict the execution of sensitive functions like withdrawFees and selectWinner to specific roles, such as the contract owner or a designated administrator.

  • Use Modifiers for Access Control: Define and use modifiers in the contract to enforce access control checks like onlyOwner modifier.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: User experience and design improvement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!