Submission Details
Severity:
`totalFees` overflow and unsafe downcast leading to fees stuck in contract.
Summary
uint64 totalFees overflow and unsafe downcast will cause withdrawFees() check to fail and revert.
Vulnerability Details
function testSelectWinnerWithdrawTotalFeeOverflow() public{
// @audit: generate 100 players address to raffle
uint256 PLAYER_BATCH = 100;
address[] memory players = new address[](PLAYER_BATCH);
for(uint256 i = 0; i < PLAYER_BATCH; i++)
{
players[i] = address(i);
}
// @audit: enter raffle
puppyRaffle.enterRaffle{value: entranceFee * PLAYER_BATCH}(players);
// @audit: skip timelock and `selectWinner()`.
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
puppyRaffle.selectWinner();
// @audit: `withdrawFees()` will revert due to `address(this).balance == uint256(totalFees)` check fail
console.log(address(puppyRaffle).balance);
console.log(puppyRaffle.totalFees());
puppyRaffle.withdrawFees();
}
Impact
withdrawFees() will always revert can causes the fees to be stuck in contract.
Tools Used
Manual review.
Recommendations
Implement OpenZeppelin's SafeMath to prevent overflow and SafeCast to downcast safely.
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
unsafe cast of fee to uint64
overflow-uint64
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.