First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Partial loss of fee funds due to overflow

0xtekt

Summary

Fee overflow can occur when there are sufficient participants in a raffle (for a given entranceFee) as the fee is calculated as a uint256 and then cast to a uint64. This compiler version does not automatically revert on over/underflow.

Vulnerability Details

A proof of concept is presented below. In this instance, only 93 players need to enter the raffle for overflow to occur when the entrance fee is 1 ether.

// Working PoC in the PuppyRaffleTest.t.sol file.

function testFeeOverflowInSelectWinner() public {

// Calculate number of players required for an overflow to occur

uint256 numPlayers = calculatePlayersForFeeOverflow();

// Setup address array: players

address[] memory players = new address[](numPlayers);

for (uint256 i; i < players.length; ++i) {

players[i] = makeAddr(string(abi.encodePacked("CAW CAW NUMBER ", vm.toString(i))));

}

// Enter the raffle with players

puppyRaffle.enterRaffle{value: players.length * entranceFee}(players);

// Skip to end of the raffle and and select winner

skip(duration + 1);

puppyRaffle.selectWinner();

// Calculate the expectedFee

uint256 expectedFee = (players.length * entranceFee * 20) / 100;

// If working as intended, these should be equal.

assertNotEq(expectedFee, uint256(puppyRaffle.totalFees()));

}

// Helper function to calculate number of players required for fee overflow

function calculatePlayersForFeeOverflow() internal view returns (uint256) {

uint256 maxFee = type(uint64).max;

return (maxFee * 100) / (entranceFee * 20) + 1;

}

Impact

Loss of partial funds. The amount collected from users is split between fees and the prize pool. A partial amount (dependent on extend of overflow) of the fee funds will be lost.

Tools Used

Foundry.

Recommendations

Consider using a larger unsigned integer, especially if you think this raffle will be successful.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow-uint64

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!