First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Cross Function reentrancy

0xdark1337

Summary

The refund() function sends the entranceFee back to the user using sendValue which handing over the control to the user contract which triggers the receive function and from which the user can able to execute selectWinner() function which is an external function having no access controls implemented in it.

Vulnerability Details

function selectWinner() external{}

The selectWinner() function which is an external function has no access control implemented in it can leads to anyone can call selectWinner().

Impact

Since anyone can call the selectWinner() function any user can have an advantage of becoming the winner by calling the selectWinner() after the time interval which brings the flaw to the entire system. The code to re-enter the contract as follows,

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
import "./PuppyRaffle.sol";
contract PlayerContract {
PuppyRaffle public raffle;
constructor(address _puppyRaffleAddress) {
raffle = PuppyRaffle(_puppyRaffleAddress);
}
function enterRaffle() public {
address[] memory players = new address[](1);
players[0] = msg.sender;
raffle.enterRaffle(players);
}
receive() external payable {
raffle.selectWinner();
}
}

Tools Used

Remix

Recommendations

The external functions which carries sensitive actions like changing the state of the contract needs to have access control in place and only the owner of the contract needs to have access to call such functions.

- function selectWinner() external{}
+ function selectWinner() external onlyOwner{}
Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

reentrancy-in-refund

reentrancy in refund() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!