First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Funds Lock Vulnerability in withdrawFees Function

Chandr

Summary

The withdrawFees function in the provided smart contract possesses a critical vulnerability related to the withdrawal of fees. The function's design makes it susceptible to being locked and rendered non-functional when ether is sent to the contract through unconventional means, such as self-destruct calls from other contracts.

Vulnerability Details

The vulnerability lies in the first require statement of the withdrawFees function:

require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");

This line checks whether the contract's balance exactly matches the recorded totalFees. However, if additional ether is sent to the contract address outside of its standard functions (e.g., through the selfdestruct operation from another contract), the contract's balance will increase without a corresponding increase in totalFees. This discrepancy will prevent the withdrawFees function from executing successfully, potentially leading to funds being permanently locked in the contract.

Impact

Locked Funds: Ether sent to the contract by non-standard means will render the withdrawFees function unusable, causing legitimate fees to be locked in the contract indefinitely.
Reduced Functionality: Inability to withdraw fees impacts the operational aspects of the contract, especially if the fees are intended for operational costs or profit distribution.
Security Exploitation: Malicious actors might exploit this vulnerability to intentionally lock funds within the contract.

Tools Used

manual

Recommendations

Remove Strict Balance Check: Modify the require statement to allow the withdrawal of totalFees regardless of the contract's total balance. This ensures that the withdrawal functionality remains operational even if additional ether is sent to the contract.
Implement a Recovery Mechanism: Add a function to handle and redistribute or withdraw unexpected ether sent to the contract, ensuring that the contract can manage its balance more flexibly.
Use Events for Monitoring: Emit events for all ether receipts and withdrawals. This will aid in monitoring and auditing contract balance changes.
Regular Audits and Monitoring: Conduct regular audits and monitor the contract for any unusual balance changes or transactions.
Documentation and Communication: Clearly document the contract's fee withdrawal process and communicate potential risks to the users, including the possibility of funds being sent to the contract outside of standard methods.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

greifers-send-money-to-contract-to-block-withdrawfees

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.