EnterRaffle and Refund can be called even after raffle duration has passed.
Summary
Players can enter and refund after the raffleDuration has ended, but before selectWinner is called.
Vulnerability Details
It is not likely to have any adverse effects to the contract itself, but could lead to unexpected behavior and a suboptimal UX.
Impact
the impact is low, it is mostly a UX issue/design decision.
If a player enters the raffle in the same block as a transaction calling selectWinner, who calls selectWinner
the dapp might also advertise the raffle as being over, however they still would be allowed to enter but that might not be clear to the end users.
Tools Used
Manual Review
Recommendations
if the desired outcome is more of a closed system, then checks could be performed to make sure that 'block.timestamp <=raffleStartTime + raffleDuration' in enterRaffle() and refund().
It is acceptable to keep as is, but the documentation should be very clear about this.
Lead Judging Commences
PuppyRaffle::selectWinner() - L126: should use `>` instead of `>=`
PuppyRaffle::selectWinner() - L126: should use `>` instead of `>=`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.