First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Refund breaks the game

ezerez

Summary

After the refund, game is broken since funds cannot be sent to the winner.

Vulnerability Details

After the refund, selectWinnter() is broken.

  • refund doesn't change the array length, but replaces the valid player with zero address.

  • selectWinner method uses the players.length to calculate the totalAmountCollected, and if the refund has happened, contract will have less funds available than it's calculated in totalAmountCollected, and then winner.call{value: prizePool}(""); will always fail until the contract has extra gas for the deleted players.

Impact

Smart contract is broken and unplayable, once at least one user has been refunded.

Recommendations

Either remove the element from the array, or calculate fees from all non-zero addresses at totalAmountCollected. Later one seems more gas-efficient, since no array modifications are required.

uint256 totalAmountCollected;
for (uint256 i = 0; i < players.length; i++) {
if (players[i] != address(0)) {
totalAmountCollected += entranceFee;
}
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.