Submission Details
Severity:
Refund allowed after Raffle has been over
Summary
Refund is allowed after raffle has over. It's not an automated raffle, So after raffle over refund must not be allowed.
Players are able to get their refund even after raffle has been over.
Vulnerability Details
refund
function refund(uint256 playerIndex) public {
// here should have a require check for raffle over check. 👈
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}
Impact
Raffle has lack of its standard, that makes it not a truly fair Raffle.
Tools Used
Manual review
Recommendations
We can employ a require check for raffle over as i did below...
refund fixed
function refund(uint256 playerIndex) public {
require(block.timestamp < raffleStartTime + raffleDuration, "PuppyRaffle: Raffle has over"); // here i added 👈 this check
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.