If a smart contract enters the raffle and it does not implement the receive()
or fallback()
function, the call used to send the funds to the winner will fail to execute, compromising the functionality of the protocol.
It is also important to note that the official VRF Security Considerations by Chainlink indicate that the call to fulfillRandomWords()
must not revert.
The vulnerability comes from the way smart contracts work in EVM chains; if a smart contract does not implement the receive()
and/or fallback()
function, it will not accept incoming ETH. Therefore, the highlighted line of the code snippet below would revert if the recent_winner
is a contract that does not agree to receive ether.
The protocol will not be able to select a winner and send funds to it if that winner is a smart contract that does not accept ETH.
Manual analysis.
Consider updating the implementation of the fulfillRandomWords()
function to make sure it never reverts, as recommended by the official VRF Security Considerations. For this, Chainlink suggests the following generic recommendation: "Consider simply storing the randomness and taking more complex follow-on actions in separate contract calls made by you, your users, or an Automation Node".
Furthermore, consider changing the highlighted send()
above for a raw_call()
that handles the case where recipients do not accept ETH. Finally, for such cases, the contract could take note of the winner and let it call a new function to indicate where to send the prize.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.