First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unsafe math calculating `prizePool` due to lack of use of SafeMath

ciara

The Solidity version used in PuppyRaffle is 0.7.6. Any versions before 0.8.0 do not have SafeMath enabled by default meaning that calculations are subject to under and overflow. The potential for overflow exists when calculating prizePool due to not using SafeMath.

Vulnerability Details

In PuppyRaffle:selectWinner, prizePool is determined using the following calculation:

uint256 prizePool = (totalAmountCollected * 80) / 100;

As the Solidity version is < 0.8.0, SafeMath is not enabled by default and therefore calculations are subject to under and overflow.

The maximum value of a uint256 is 2^256 - 1, therefore if totalAmountCollected * 80 surpasses this maximum value an overflow will occur. The threshold maximum value of totalAmountCollected is 9295731.07 ETH after which prizePool will overflow.

Impact

If totalAmountCollected surpasses 9295731.07 ETH when calculating prizePool, an overflow will occur. It is unlikely that this value will be reached but if the entranceFee is large or there are a very high number of players it is possible that an overflow will occur.

Firstly, due to overflow in the prizePool, the totalFees that the feeRecipient can withdraw will be smaller than the true amount.

Secondly, if this happens, the value in the contract will be non-zero even if the winner is paid and the feeRecipient withdraws the totalFees. This will result in a state of DoS when calling withdrawFees as explained in the following issue: Unable to withdraw fees if contract balance is non zero when no players are active.

Since the values required to cause overflow would require a large number of players or a high entranceFee, this is a medium risk vulnerability.

Recommended Mitigation

Use OpenZeppelin's SafeMath when performing calculations. When using a Solidity < 0.8.0 SafeMath is not enabled by default and so will need to be added manually. Alternatively, upgrade the Solidity version to >= 0.8.0 to enable SafeMath by default. This means that if an overflow occurs, the function will revert. This will need to be handled correctly to avoid a state of DoS when calling selectWinner()

Tools Used

Forge

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

greifers-send-money-to-contract-to-block-withdrawfees

overflow-uint64

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.