The use of strict operator can cause lose of funds
Summary
In the "withdrawFees" function, the use of a strict equality operator (==) presents a critical vulnerability. This condition checks if "address(this).balance" is equal to "totalFees," which may not hold if additional wei or ether is sent to the contract. As a result, funds intended for withdrawal to "feeAddress" cannot be accessed.
Vulnerability Details
The function withdrawFees has a strict operation of ==, which can lead to a high vulnerability.
POC
Contract
This is a snippet from the above contract AttactPuppyRaffle
Test
NOTE All the test functions can be added to the PuppyRaffleTest file because testSelectWinner() and testCanEnterRaffleMany() are functions from the file.
Impact
This vulnerability can have severe consequences, as it prevents the withdrawal of fees to the designated address. Any added wei or ether will disrupt the equality check, potentially locking funds within the contract and impeding normal operations.
Tools Used
Manual
Recommendations
To address this issue, consider using a safe method to compare balances or validate total fees to ensure proper fund withdrawal.
Lead Judging Commences
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.