First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unchecked Return Value Results in Inconsistent Contract Balance

tinotendajoe01

Summary

The refund function in the PuppyRaffle contract could potentially lead to an inconsistent contract balance due to the unchecked return value of the sendValue function.

Vulnerability Details

The sendValue function is used to refund the entrance fee to the player and do the subsequent logic that by defaul is subtracting the balance.

But this function does not check wether if the refund went through or not
If this function call fails, it returns false, but this return value is not checked in the code. This can lead to inconsistencies in the contract's balance, as the contract's state is not rolled back and the entranceFee is not refunded to the player.

PoC

Attacker may call an intentional malicious contract to fail the transaction by attempting a false refund:

contract Attack {

PuppyRaffle raffle;

constructor(PuppyRaffle raffle) {

raffle = _raffle;

}

function attack() public payable {

raffle.refund(0);

}

// The attacker can set the fallback to revert so that it will cause the puppyRaffle sendValue to fail

fallback() external payable {

revert();

}

Impact

An inconsistent contract balance can cause issues with subsequent operations that rely on accurate balance tracking. This could disrupt the operation of the raffle when is distributing the prize pool and potentially lead to a loss of trust in the contract.

Recommendations

To mitigate this vulnerability, it is important to check the return value of the sendValue function and handle any potential failures appropriately. This could involve reverting the transaction or logging an error message. Additionally, consider using the transfer function instead of sendValue, as transfer automatically reverts the transaction if the call fails.

Correct way to use sendValue

(bool success, ) = payable(msg.sender).sendValue(entranceFee);

if (success) {

// Refund was successful, you can proceed with your logic here

} else {

// Refund failed, revert the transaction or log an error message

revert("Refund failed");

}

The sendValue function returns a tuple with a success boolean and a data field. You can use the success boolean to check if the refund was successful. If it was, you can proceed with your logic. If not, we revert the transaction with an error message.

By doing this, you ensure that the transaction will revert in case of a failure, preventing potential vulnerabilities like inconsistent balances.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!