First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

DoS with Unexpected Revert in refund() function

azmaeengh

Summary

Here sendValue is used instead of call. This leaves the code open to Denial Of Service vulnerability, which could potentially hault the entire smart contract and prevent people from interacting with it.

Vulnerability Details

In the refund() function, sendValue is being used to send Ether back to the user. If the fallback function of the recipient contract reverts or exceeds the gas limit/allowance, this could cause the contract to be stuck. Another way of saying this would be Denial Of Service. For this reason, call{value:..}("") should be considered instead, as it forwards all available gas and doesn't revert on failure.

Impact

This (A DoS attack) can disrupt the functionality of the smart contract, preventing users from interacting with it, and in some cases, resulting in financial loss.

Tools Used

Took help from Phind AI tool.

Recommendations

It is recommended to modify the refund function to use call instead of sendValue.

- payable(msg.sender).sendValue(entranceFee);
+ (bool success, ) = payable(msg.sender).call{value: entranceFee}("");
+ require(success, "PuppyRaffle: Failed to refund player");

By using call with the value parameter, the refund will forward all available gas and will not revert on failure. This ensures that the contract will not get stuck if the fallback function of the recipient contract reverts or exceeds the gas stipend.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!