Summary

The fulfillRandomWords function in the provided Vyper contract contains a potential reentrancy vulnerability. This vulnerability arises due to the external call to the recent_winner contract occurring after state changes but before the function ends. Reentrancy vulnerabilities can lead to significant financial loss if exploited, as they can allow an attacker to repeatedly call a function and potentially drain all the funds from a contract. In this case, the vulnerability could allow a malicious contract to repeatedly call the fulfillRandomWords function and continuously win the raffle, draining all the funds from the contract. Therefore, it’s crucial to address this issue promptly to ensure the security of the contract.

Vulnerability Details

In the fulfillRandomWords function, the contract state is updated before an external call is made to transfer funds to the recent_winner. If the recent_winner contract is malicious and implements a fallback function, it could call fulfillRandomWords again before the first call finishes. This could lead to unexpected behavior, such as multiple fund transfers.

Impact

If exploited, this vulnerability could lead to financial loss for the contract owner. The malicious contract could potentially drain all the funds from the contract.

Tools Used

Remix

Recommendations

To mitigate this vulnerability, you could follow the Checks-Effects-Interactions pattern, where you perform any external calls after all state changes have been made.