First raffle can be more lucrative than all others
Summary
The players participating in a raffle should win, besides the NFT, the fees payed by all participants. However, if during deployment funds are added to the raffle contract, the first raffle winner will receive all fees plus any funds added during deployment. This means that the first raffle can prove much more interesting and lucrative than all others, in stark contrast with what is detailed in the documentation.
Vulnerability Details
The constructor of the raffle smart contract is declared as payable. However, funding the contract is not necessary. This leads to two potential scenarios:
the deployment is performed without funding the smart contract. Then there is no reason why the constructor should be payable
the deployment is performed and the smart contract is funded. Then the first raffle winner will break the invariant that they should win the sum of all fees. This is due to the fact that the first winner will actually gain all fees paid PLUS whatever was sent to fund the contract during deployment.
Impact
The invariant, detailed in the documentation, regarding prizes and wins is broken.
Tools Used
Manual review, VSCode
Recommendations
If the smart contract needs a payable constructor, then implement a check to only send back entrance_fee * len(self.players).
If the smart contract does not need funding, remove the "@payable" tag from the constructor.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.