DoS when the winner receives ETH
Summary
The winner can be a malicious contract that has a fallback function that reverts when he's receiving the ETH reward.
Vulnerability Details
send(recent_winner, self.balance)
Actors
Protocol: snek raffle contract
Attacker: the winner
Exploit Scenario:
Initial State: The Protocol is deployed, players are entering the raffle, as well as some malicious contracts created by the attacker.
Step 1: request_raffle_winner() is called, the state is CALCULATING.
Step 2: rawFulfillRandomWords() is called by the VRF_COORDINATOR which triggers the call to fulfillRandomWords()
Step 3: The attacker created several malicious contract containing a fallback function that reverts when the contract receives ETH and entered the raffle several times with each of his contracts to increase his chances of winning, eventually one of his contracts was selected to be the winner.
Outcome: The winner which is also the Attacker's malicious contract reverts.
Impact
The protocol is under DoS as the fulfillRandomWords function reverts and the state is still Calculating, no other winners can be requested.
Tools Used
Manual analysis
Recommendations
Make the following change: We could create a ClaimReward() function that will allow the winners to withdraw their rewards at anytime, that way the protocol cannot be under DoS. We can create a dynamic Array to keep track of the winners and their earnings that would be updated inside the fulfillRandomWords() function and inside the ClaimReward().
Lead Judging Commences
Winner can be a contract that refuses ETH and brinks the whole contract + reverts on Chainlink VRF
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.