Submission Details
Severity:
withdrawFees() can be called by notTheOwner
Summary
The PuppyRaffle::withdrawFees() function is currently accessible to anyone. However, it's worth noting that the feeAddress is established and controlled by the contract owner. Therefore, it's advisable to limit the withdrawal access to the contract owner exclusively. In this manner, the owner can exercise discretion in determining when to withdraw fees from the system.
Vulnerability Details
@>function withdrawFees() external {
require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
uint256 feesToWithdraw = totalFees;
totalFees = 0;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
}
Impact
//Everyone can call the withdraw fees function
function testNotOwnerCanWithdrawFees() public playersEntered {
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
uint256 expectedFeeAmount = ((entranceFee * 4) * 20) / 100;
console.log("The expected fee amount:", expectedFeeAmount);
puppyRaffle.selectWinner();
vm.prank(playerOne);
puppyRaffle.withdrawFees();
assertEq(address(feeAddress).balance, expectedFeeAmount);
console.log("The withdrawed fee:", address(feeAddress).balance);
}
Tools Used
Manual review
Recommendations
Restrict with onlyOwner modifier the PuppyRaffle::withdrawFees() function.
- function withdrawFees() external {
+ function withdrawFees() external onlyOwner{
require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
uint256 feesToWithdraw = totalFees;
totalFees = 0;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
}
Updates
Lead Judging Commences
Hamiltonite about 2 years ago
Submission Judgement Published Reason: User experience and design improvement
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.