Strict equals in withdrawFees() - Frozen funds
Summary
The strict equality check does not account for a contract balance greater than the 'totalFees' amount. This can lead to that amount being frozen.
Also, the error message is not accurate.
Vulnerability Details
Here is a scenario
The raffle is played as intended and the winner is payed out. Now the fee recipient wants to collect their share
Somebody either by accident or just to be mean decides to send even a small amount of ETH to the contract.
The remaining balance is no longer exactly equal to the 'totalFees' amount and the function reverts. Now the fee recipient gets nothing and the funds are locked in the contract
Furthermore, even if step 3 never happened, this relies on the math in selectWinner() to execute perfectly without even a tiny fraction of a mistake in accounting.
Impact
High - This can directly lead to a loss of funds for feeRecipient
Tools Used
Manual Inspection
Recommendations
Change the check from '==' to '>=', this way we can always get our fees as long as the contract has enough ETH to cover it. Also change the message something more relevant.
Lead Judging Commences
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.