unable to withdraw the entire balance of the contract
Summary
The withdrawFees function in the smart contract relies on the contract's balance being equal to the totalFees in order for the owner to withdraw the funds. However, this approach is flawed as anyone can send any amount of ether to the contract, leading to an inequality between the contract's balance and the totalFees. Consequently, the owner may not be able to withdraw the entire balance of the contract.
Vulnerability Details
The issue lies in the withdrawFees function, which assumes that the contract's balance will always be equal to the totalFees accumulated. However, this assumption is invalid because anyone can send arbitrary amounts of ether to the contract, causing a mismatch between the balance and the totalFees. Consequently, the owner may find it impossible to withdraw the complete contract balance.
Impact
The feeAddress may be unable to withdraw the entire balance of the contract, leading to a loss of funds.
Tools Used
Manual Review
Recommendations
To address this vulnerability, it is advised to modify the withdrawFees function.
It’s recommend to check the length of players to make sure none current active players instead of the equality check address(this).balance == uint256(totalFees)
Lead Judging Commences
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.