First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No fallback function - Lost Ether

Eric

Summary

No fallback or receive function

Vulnerability Details

Any sort of functions that send ether to either the owner, player or winner use amounts calculated from state variables as opposed to contract balance. In the event that any Eth is sent to this contract perhaps in error by a user that doesn't quite understand how to use it it will be locked forever. For example:

  1. A player misunderstood the rules and they just send the 'feeAmount' directly to the contract

  2. They realize their mistake and send the 'feeAmount' again via the 'enterRaffle()' function

  3. In an attempt to recover their initial deposit they call refund() but that only returns an amount of 'entranceFee x1' when they actually have send 'entranceFee x 2'

  4. Whether they win or lose nobody is able to recover that Eth send in step 1 including the contract Owner

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}

Impact

Medium. There can be a potential loss of funds due to human oversight

Tools Used

Manual inspection

Recommendations

Implement a fallback or receive function

Updates

Lead Judging Commences

patrickalphac Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!