First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The prize amount is incorrect if their was at least one refund

TheCodingCanuck

Summary

The prize amount is incorrect amount if there was at least one refund.

Vulnerability Details

The prize amount is determined by the players.length * entranceFee. When a player calls refund their address gets replaced by the 0-address in the players array. The length does not reflect the amount of active players.

Impact

The raffle winner will be awarded extra eth for every refund that happened.

If the contract does not have enough eth, this can cause a D.O.S. On the other hand, if the contract has enough eth, the extra eth will come out of the totalFees.

Tools Used

Manual testing

test
function test_auditPrizePoolUpdatesAfterRefund() public playerEntered {
uint256 prizePoolBefore = address(this).balance;
vm.prank(playerOne);
puppyRaffle.refund(0);
uint256 prizePoolAfter = address(this).balance;
assertTrue(prizePoolAfter == prizePoolBefore - entranceFee);

Recommendations

Using a uint256 variable to keep track of the prize pool amount. This value would be updated on entering and on refunding a player.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!