Possibility of incorrect calculation of totalAmountColected in selectWinner()
Summary
selectWinner() calculates the totalAmountCollected to distribute a portion to the winner and add the remaining portion to totalFees. However, the formula used in this calculation can result in discrepancies in the actual funds when a user exits the system using the refund().
Vulnerability Details
selectWinner() calulates totalAmountCollected = players.length * entranceFee using this formula. The issue arises when a user calls refund(), which sets their playerIndex to the zero address but does not adjust the length of the array. As a result, the formula still relies on the original array length, causing the stored funds to exceed the actual funds. This discrepancy can lead to unexpected behavior, including the possibility of transactions reverting due to insufficient balance.
Impact
Unexpected behaviour, locked of funds and balances mismatch.
Tools Used
Manual review.
Recommendations
When a user calls refund() delete the address from the array for reduce the array.length.
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.