Some code issues
Summary
I have found 5 issues, they are described in the Findings.md file. The code is updated accordingly.
I'm sure there are some more issues to find, but this is literally my first fight since I started to learn Solidity from scratch, having 0 experience in programming. I tried to set up some invariant tests as well, but still learning and working on it. By the way thanks to these challenges, it is a good practical experience to dive deeper and understand how things work.
Vulnerability Details
Briefly, the issues I have found are:
Change the array players to the mapping to save gas.
It should not be possible to add an array newPlayers that consists of zero addresses.
A reentrancy attack is possible in the base code version, the index should be set to 0 before the transfer, line 110. The code for the attack is ReentrancyRaffle.sol. // high impact
The winner must have a valid ID in the players array
-
Since the function withdrawFees() is set to be called manually, it is possible to manually create conditions when the owner can never get the fees.
Impact
high/ medium/ low
Tools Used
manual review
Recommendations
are in the file Findings.md, the code changed accordingly
Lead Judging Commences
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.