First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-03] Integer Overflow in Total Amount Calculation Risks Misallocation of Funds

maanvad3r

Summary

The selectWinner function within the smart contract calculates the totalAmountCollected by multiplying the players.length by entranceFee. However, this calculation is prone to an integer overflow vulnerability, which may lead to an incorrect computation of totalAmountCollected, affecting the subsequent distribution of funds and NFTs.

Vulnerability Details

The vulnerability occurs at the line:

uint256 totalAmountCollected = players.length * entranceFee;

If the product of players.length and entranceFee exceeds the maximum value of a uint256, an overflow will occur, wrapping the result around and returning a much smaller number than expected.

Impact

An integer overflow in the totalAmountCollected calculation could lead to an unexpected behavior where the total amount of funds collected is misrepresented. This misrepresentation can further impact the distribution of funds to the winner and the feeAddress, and the minting and assignment of NFTs. This compromises the integrity of the raffle and may result in financial loss or unfair advantage to some participants.

POC

function test_Overflow() public {

uint256 playersLength = type(uint256).max / entranceFee; // Largest possible value for playersLength without overflow

playersLength += 1; // Increment playersLength to cause an overflow

console.log(playersLength);

uint256 totalAmountCollected = playersLength * entranceFee;

bool overflowOccurred = totalAmountCollected < playersLength || totalAmountCollected < entranceFee;

assertTrue(overflowOccurred); // Assert that an overflow occurred

}

In this proof of concept, the test_Overflow function demonstrates how an overflow can occur when the players.length and entranceFee are multiplied together. By incrementing the playersLength to a value that will cause an overflow, the test asserts that an overflow occurred by checking if totalAmountCollected is less than either playersLength or entranceFee.

Tools Used

Manual review
Foundry

Recommendations

Implement checks to ensure that the product of players.length and entranceFee does not exceed the maximum uint256 value before performing the multiplication.
Consider utilizing SafeMath or other similar libraries that provide safe arithmetic operations to prevent overflows.
Restrict the maximum number of players or the value of entranceFee to prevent the multiplication from exceeding the maximum uint256 value.
Use solidity version ^0.8.0 as it includes overflow/underflow checks

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow-uint64

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.