Summary

The withdrawFees function in the smart contract relies on the contract's balance being equal to the totalFees in order for the owner to withdraw the funds. However, this approach is flawed as anyone can send any amount of ether to the contract, leading to an inequality between the contract's balance and the totalFees. Consequently, the owner may not be able to withdraw the entire balance of the contract.

Vulnerability Details

The issue lies in the withdrawFees function, which assumes that the contract's balance will always be equal to the totalFees accumulated. However, this assumption is invalid because anyone can send arbitrary amounts of ether to the contract, causing a mismatch between the balance and the totalFees. Consequently, the owner may find it impossible to withdraw the complete contract balance.

Impact

The feeAddress may be unable to withdraw the entire balance of the contract, leading to a loss of funds.

Tools Used

Manual Review

Recommendations

To address this vulnerability, it is advised to modify the withdrawFees function.

It’s recommend to check the length of players to make sure none current active players instead of the equality check address(this).balance == uint256(totalFees)