Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: medium
Valid

forcefully ether send cause failure in withdrawFee function

When a hacker deliberately sends unauthorized ether to the contract using(EOA, selfDestruct), it triggers a critical failure in the withdrawFees function due to the 'require' statement. The specific 'require' condition, 'require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");', is designed to check if the contract balance matches the total fees.If a hacker sends money to the contract in a sneaky way, it can mess up the withdrawal function. This is because of a rule that checks if the contract's money is the same as the total fees. But when the hacker sends 10wei, the total contract amount becomes 10wei plus 2wei as a fee and the fee is 2wei so, here this will never pass the required check. This breaks the rule, locking up the money inside the contract.

#Recommendation
function withdrawFees(uint _amount) external {
// Check if the raffle is over
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle is still ongoing");
require(_amount <= totalFees,"amount > totalFees");
totalFees = totalFees - _amount;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
}

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

greifers-send-money-to-contract-to-block-withdrawfees

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.