First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unfair winner selection caused by poor access control

luka

Summary

The PuppyRaffle::selectWinner function does not have any access control so any user can call it.
Attacker can exploit this and call the function when it is most advantageous for them.
For example when most of the participants in the current raffle are accounts owned by the attacker.

Vulnerability Details

Impact

Tools Used

Recommendations

Modify PuppyRaffle::selectWinner so only the owner can call it.

-- function selectWinner() external {
++ function selectWinner() external onlyOwner {

As best practice, it would be best if the same was done on PuppyRaffle::withdrawFees function. Currently, lack of access control on this function doesn't present any security risk but there is no reason this function should be called by anyone other than the owner.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

luka Submitter
almost 2 years ago
patrickalphac Lead Judge
almost 2 years ago
Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.