First Flight #2: Puppy Raffle

Summary

The function selectWinner is susceptible to a reentrancy attack because it send Ether to a winner before updating the contract's state, including clearing the list of players and updating the start time for the next raffle. An attacker can exploit this vulnerability by creating a malicious contract that calls back into 'selectWinner` during the Ether transfer, potentially allowing them to repeatedly win the raffle and drain funds from the contract.

Vulnerability Details

1. External Call Before State Update:
   The function sends Ether to the winner using winner.call{value: prizePool}("") before it has updated the contract's state. The state updates include clearing the players array, updating the raffle start time, and setting the previous winner.

2. Control Given to External Entity:
   If the winner is a contract, it has a fallback or receive function that gets invoked when Ether is sent to it. A malicious contract can use this function to call back into the selectWinner function.

3. Potential for Multiple Reentrant Calls:
   Since the state is not updated before the Ether is sent, the malicious contract can take advantage of the outdated state, possibly allowing it to repeatedly win the raffle, drain funds, or otherwise manipulate the game in its favor.

4. Inconsistent State:
   The contract operates on an inconsistent state during the attack, as the state updates that should have been done after sending the prize are not yet complete.

Impact

Funds loss, state corruption, unfair gaming.

Tools Used

Foundry, manual

Recommendations

Follow Checks-Effects-Interactions Pattern