First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Overflow of totalFees can result in Denial of Service

zuhaibmohd

Summary

The totalFees variable can overflow causing denial-of-service (DoS).

Vulnerability Details

The totalFees variable is declared as a uint64 variable. The maximum value that uint64 can hold is 18,446,744,073,709,551,615, which is equivalent to 18.446 ether. If the total fees collected exceed this value, it can lead to an overflow issue, potentially resulting in a denial-of-service (DoS) vulnerability within the withdrawFees function as the require statements will fail and the transfer of fees will not occur.

Proof of Concept

function testtotalFeesOverflow() public {
address[] memory players = new address[](100);
for (uint i = 0; i < players.length; i++) {
players[i] = address(i);
}
puppyRaffle.enterRaffle{value: entranceFee * players.length}(players);
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
puppyRaffle.selectWinner();
console.log("Total Fees: ", puppyRaffle.totalFees());
console.log("Balance of ether : ", address(puppyRaffle).balance);
// The totalFees is not equal to balance of ether due to overflow, the max value uint64 can hold is 18446744073709551615 == 18.44 ether
assertNotEq(puppyRaffle.totalFees(), address(puppyRaffle).balance);
vm.expectRevert("PuppyRaffle: There are currently players active!");
puppyRaffle.withdrawFees();
}

Impact

The 20% of the fees collected by feeAddress cannot be transferred forever.

Tools Used

Foundry

Recommendations

Declare the totalFees as a uint256 type.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

greifers-send-money-to-contract-to-block-withdrawfees

overflow-uint64

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!