entrance fees manipulation with an overflow (induce loss of fund)
Summary
The code provided for the enterRaffle function has a vulnerability related to overflow.
Vulnerability Details
The vulnerability arises from the line:
If the multiplication of entranceFee and newPlayers.length exceeds the maximum value that can be represented by a uint256 variable, an overflow will occur. Since all these parameters are manipulable by the sender, it is possible for the sender to enter a large number of addresses and a pre-calculated msg.value to bypass the check.
This vulnerability can be tested by setting up a large entranceFee amount (close to type(uint256).max) and sending an array with only two players, triggering an overflow.
Impact
If an attacker exploits this vulnerability by providing a large number of newPlayers addresses and a pre-calculated msg.value, they can enter the raffle without sending the required amount of funds and even reduce the fees.
Due to strict equality in withdrawFees, it will break this function and all actual and futures fees will be lost forever.
Tools Used
Manual review.
Recommendations
To mitigate this vulnerability, consider implementing the following measures:
Update to Solidity 0.8.0 or later versions, as these versions include a safe multiplication function, which prevents overflow issues.
Alternatively, you can use a safe multiplication function like
safeMulfrom OpenZeppelin's SafeMath library to ensure that the multiplication does not result in an overflow.Implement a limit on the number of addresses that can be passed in the
newPlayersarray to prevent potential abuse and reduce the risk of overflow.
Lead Judging Commences
entrance fee can overflow (* # of players)
You'd have to have a TON of money for this to happen. IMPACT: HIGH LIKELIHOOD: VERY LOW
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.