H-1: refund function has reentrancy vulnerability
Summary
HIGH-1: The "refund" function has a reentrancy vulnerability. The function transfers the entrance fee before the player is removed from the active players array, creating a space for a reentrancy attack.
Vulnerability Details
function refund(uint256 playerIndex) public {
[...]
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}
The function transfers the entranceFee to the player before this player is removed from the players array. This creates a possibility to call the function quickly in a row and withdraw the entranceFee multiple times.
Impact
High impact - potential to clean up all the balance of the contract.
Tools Used
Static analysis, local testing
Recommendations
Transfer the funds after resetting the player in the players array. The following structure is proposed to mitigate the reentrancy vulnerability.
function refund(uint256 playerIndex) public {
[...]
players[playerIndex] = address(0);
payable(msg.sender).sendValue(entranceFee);
emit RaffleRefunded(playerAddress);
}
Lead Judging Commences
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.