`snek_raffle::fulfillRandomWords` Does Not Check the Success of the Prize Transfer, Allowing the Raffle to Conclude without the Winner Receiving the Prize Money
Summary
snek_raffle::fulfillRandomWords does not check the success of the money prize transfer. If the transfer does fail, the raffle can still conclude without the winner ever receiving the prize money.
Vulnerability Details
snek_raffle::fulfillRandomWords is supposed to select the winner of a raffle, and then transfer the raffle prices (an NFT and the prize money, i.e. the sum of entrance fees). However, it does not check the success of the transfer of the prize money. The transfer can fail for multiple reasons, including
the recipient's inability to receive funds due to gas constraints,
contract code execution failure.
Given that the success of the transfer is not checked, if the transfer does fail, the raffle can still conclude.
Proof of Code
To simulate the transfer failure, this contract will intentionally fail when ether is sent to it:
Impact
If the transfer fails, the raffle can still conclude without the winner receiving the prize money. In such a case, the prize money remains in the raffle contract, and will be given to the winner of the next raffle, provided that the transfer transaction to that winner is successful.
Tools Used
ChatGPT.
Recommendations
There are multiple potential solutions to this issue:
Use pull over push: implement a withdrawal pattern where winner withdraw their prizes themselves, or
Check the success of the ether transfer and revert the transaction if the transfer fails.
To implement the second option, change the code as follows:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.