First Flight #11: Snek-Raffle

First Flight #11

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

`snek_raffle.vy::fulfillRandomWords` function uses not safe `send`

rybvic

Summary

snek_raffle.vy::fulfillRandomWords function uses not safe send may be the cause of a DDoS attack

Vulnerability Details

An attacker can participate from non-payable contract many times (given the absence of checking whether the address is included in the raffle) as a result revert send(recent_winner, self.balance) in snek_raffle.vy::fulfillRandomWords

Impact

Denial of service attack due to reverts of the send command in snek_raffle.vy::fulfillRandomWords

Tools Used

Manual check

Recommendations

We can use safeSend instead of send

+event SendFailed:

+ player: indexed(address)

update snek_raffle.vy::fulfillRandomWords

-send(recent_winner, self.balance)

+success: bool = self.safeSend(recent_winner, self.balance)

+ if not success:

+ log SendFailed(recent_winner)

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Rewards breakdown

nSLOC

136

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.