It is possible to make withdrawFees() non-callable
Summary
If someone sends an ether to the protocol via forcing. It won't be possible to withdraw fees.
Vulnerability Details
withdrawFees() function has following requirement:
This strict requirement opens an attack vector such that if someone forcefully sends a value to the contract without using enterRaffle function (via self-destruct), this statement will fail because there will be more balance in the contract then totalFees. Hence withdrawFees won't be callable ever.
Impact
It is not possible to withdrawFees if someone sends an ether to the protocol forcefully. This has a high impact because all fees will be lost hence funds are directly at risk. It has also high likelihood because it is just enough to self-destruct a contract with 1 wei in it and send the wei to PuppyRaffle. Hence this is high.
Tools Used
Manual Review
Recommendations
Instead of using strict require statements, use >=, this way even there are more funds than calculated fee amounts in the protocol, fees won't stuck.
Lead Judging Commences
greifers-send-money-to-contract-to-block-withdrawfees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.