Attacker can drain funds via refund
Summary
The PuppleRaffle.sol contract is vulnerable to re-entrancy attacks via the refund function, because the refund is transferred before the player is marked as refunded in the players list. To prevent this attack, the player should be marked as refunded before the refund is transferred (following the checks before effects pattern).
Vulnerability Details
The refund contract can be trained by an attack contract that implements a payable function that re-enters the PuppyRaffle.sol contract and requests additional refunds. Any funds that are in the contract paid by other entrants in the raffle can be drained easily. A sample attack contract and test is included in the attached repo (AttackPuppyRaffle.sol, AttackPuppy.t.sol)
Impact
This vulnerability results in a loss of all entrants' funds.
Tools Used
foundry
Recommendations
Follow the "checks-effects-interactions" best practice to move the refund transfer to the end of the function. Alternatively, use a common re-entrancy guard such as the OpenZeppelin ReentrancyGuard modifier.
Lead Judging Commences
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.