First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Possibilty of withdraw all the funds using refund()

ivanfitro

Summary

refund() is designed to refund the entranceFee to a user who chooses not to participate in the raffle. However, it fails to adhere to the recommended checks-effects-interactions pattern, which creates a potential vulnerability to reentrancy attack.

Vulnerability Details

refund() sends the entranceFee (in ether) back to the user. However, it exhibits a vulnerability where it first transfers the funds and then updates the players array to the zero address. This sequence allows an attacker to create and malicious smart contract using the receive() function to re-enter the contract and execute the refund() function again, potentially draining the contract's entire balance.

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}

Impact

All the founds can be stolen.

Tools Used

Manual review.

Recommendations

Follow the checks effects interactions pattern, first actualize the players array to zero address and next sends the entranceFee to the user.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

reentrancy-in-refund

reentrancy in refund() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.