First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Any malicious actor can steal entrance fees of other users

sm4rty

Summary

There is a vulnerability in the refund function that allows any user to steal the entrance fee of another user.

Vulnerability Details

The vulnerability is located in the refund function, the refund amount is send to msg.sender instead of the player.
An attacker can simply call the refund function with the address of any active player, even if they are not the ones who actually paid the entrance fee. This will cause the attacker to receive the refund, and the actual player will lose their entrance fee.

Impact

The impact of this vulnerability is that it allows attackers to steal the entrance fees of other users.

Tools Used

Manual Analysis

Recommendations

Modify the refund function to send the funds to player address instead of msg.sender

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
payable(playerAddress).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

reentrancy-in-refund

reentrancy in refund() function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.