Eth received via any contract's selfdestruct inside snek_raffle will break the invariant of winner received amount to be the sum of entrance fees added together.
Summary
The protocol mentions has clearly mentioned that the winnings of raffle winner should be the exact sum of entrace fees.
Even though snek_raffle doesn't have any payable eth receiving functions except for enter raffle, but still eth can be sent to snek_raffle via selfdestruct functions of other contract, thus making the balance of contract more than the summed up of total entrance fees received and breaking the invariant of winnings to be the sum of entrance fees.
Vulnerability Details
The vulnerability occurs due to the
fulfillRandomWordssending the balance of the snek_raffle smart contract instead of considering the only amount received via entrance fees by maintaining its amount in a separate variable, which thus leads to the breaking of the invariant winnings received should be all the entrace fees added together.But a user force sending eth via smart contract's selfdestruct function will break the invariant as the
self.balancewill now beall the entrance fees+force received eth.
Impact
Breaks the protocol invariant - the winner receives the balance of the contract (should be all the entrace fees added together) as balance of contract will not be entrance fees added together.
Tools Used
Manual Review
Recommendations
Maintain a separate accounting of all the entrance fees and use that variable instead of self.balance
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.