First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`refund` steals funds

funkornaut

Summary

The refund function sends the entranceFee to the player at the index of the array and if they are the message sender. However that player may not be the one who bought in.

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(msg.sender).sendValue(entranceFee);

Vulnerability Details

To enter a raffle an array of addresses is given and the entry fee is paid for by the msg.sender not necessarly by the player who calls for the refund. A player who did not pay for the entranceFee can calim a refund and basically steal the funds from the raffle and will likey hurt the feelings of the player who bought them their entrance to the raffle. On the flip side, someone who paid for multiple entries will only get a partial refund from calling this function.

Impact

Loss of funds from the raffle pool and hurt feelings.

Tools Used

Manual Review

Recommendations

Track the address that paid for a player's entrance and refund that player if a player wishes to leave the raffle.

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

reentrancy-in-refund

reentrancy in refund() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.