First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Overflow/Underflow Vulnerability in the `selectWinner` Function

emanherawy

Summary

The selectWinner function in the PuppyRaffle smart contract is susceptible to overflow and underflow vulnerabilities due to the lack of protection against these issues in Solidity compiler version 0.7.6. The absence of SafeMath library usage in the current implementation leaves the contract exposed to potential arithmetic problems that can be exploited by malicious actors.

Vulnerability Details

The vulnerability revolves around arithmetic operations within the selectWinner function, which involve the multiplication and division of values. Without proper overflow and underflow protection, these operations can result in unexpected and erroneous calculations. While the details of the vulnerability depend on the specific calculations performed in the function, common vulnerabilities include:

Integer Overflow: Occurs when an arithmetic operation results in a value exceeding the maximum representable integer, causing the value to wrap around to a smaller number. This can lead to incorrect calculations and unintended consequences.
Integer Underflow: Occurs when an arithmetic operation results in a value less than zero, which is not valid for unsigned integers. Underflows can lead to erroneous results and unintended behaviors.

Impact

The impact of overflow and underflow vulnerabilities can vary, but in the context of the selectWinner function, it could lead to:

Incorrect Prize Calculation: An attacker might manipulate the calculations, leading to incorrect prize pool distribution. This could result in a disproportionate reward to the winner or even draining the prize pool entirely.
Loss of Funds: If the contract relies on accurate calculations for financial transactions, the vulnerability could allow an attacker to drain funds from the contract.

Tools Used

This analysis is based on a manual review of the smart contract code.

Recommendations

To address the overflow and underflow vulnerabilities in the selectWinner function, consider the following recommendations:

Use SafeMath Library: Implement arithmetic operations with the SafeMath library to ensure that calculations do not result in overflows or underflows.

OR

** Update Compiler Version:** Consider updating to the latest compiler version, such as 0.8.0 or higher, which provides built-in protections against overflow and underflow vulnerabilities.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow-uint64

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.