First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Overflow possible in `totalFees`

inallhonesty

Summary

Overflow possible in totalFees because of uint64 choice.

Vulnerability Details

The variable totalFees is declared as a uint64 in the state variables section of the contract.

The maximum value for uint64 is 18446744073709551615, even if this looks like a big number, ETH has 18 decimals.

18446744073709551615 / 1e18 = 18446.744073709551615, meaning that if the totalFees ever reaches a value more than 18446.7440 ETH it will reset back to 0.

Impact

Medium because of the extreme fund loss for the protocol with a very low likelihood of ever happening.

Tools Used

Manual review.

Recommendations

Force selectWinner to revert in case totalFees ever overflows.

function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
uint256 totalAmountCollected = players.length * entranceFee;
uint256 prizePool = (totalAmountCollected * 80) / 100;
uint256 fee = (totalAmountCollected * 20) / 100;
++ require(totalFees + uint64(fee) >= totalFees, "PuppyRaffle: Overflow in totalFees");
totalFees = totalFees + uint64(fee);
uint256 tokenId = totalSupply();
...
Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

overflow-uint64

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!