FUNDS_WITHDRAWING_BY_ADDING_ACCOUNTS_THAT_REFUNDS
Summary
Because of incorrect calculation of total amount collected, more money can be used that was donated to the round
Vulnerability Details
In selectWinner amount of funds collected is calculated as uint256 totalAmountCollected = players.length * entranceFee. While array players can contain zero addressed for users who refunded money, totalAmountCollected can be greater than the real collected amount. So attacker can create round with 100 bots, make refund for 99. If his account won, he receives 100 * entranceFee amount while bots refunded their moneys. Bots can be the contracts with revert in fallback function that will fail (bool success,) = winner.call{value: prizePool}(""); in selectWinner and only choosing of the attacker in the lottery will work.
Also can be combined with selective packing by miner to choose the correct winner
Impact
Moneys that are considered to be admin fees or other users money can be withdrawn
Tools Used
Recommendations
Calculate totalAmountCollected correctly, do not add refunded money to the sum
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.