First Flight #11: Snek-Raffle

First Flight #11

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Impossible to win raffle if the winner(or max player) is a smart contract without a fallback function(or default function in vyper)

naman1729

Summary

If a player submits a smart contract without implementing the receive() or fallback() function, the attempt to send funds to the winner will fail which will prevent the winner from receiving the funds.

Vulnerability Details

Here in the pointed line, the contract is trying to send funds(pushing the funds) to the winner. If the winner is a smart contract without a receive() or fallback() function, the attempt to send funds to the winner will fail which will prevent the winner from receiving the funds.

@internal

def fulfillRandomWords(request_id: uint256, random_words: uint256[MAX_ARRAY_SIZE]):

index_of_winner: uint256 = random_words[0] % len(self.players)

recent_winner: address = self.players[index_of_winner]

self.recent_winner = recent_winner

self.players = []

self.raffle_state = RaffleState.OPEN

self.last_timestamp = block.timestamp

rarity: uint256 = random_words[0] % 3

self.tokenIdToRarity[ERC721._total_supply()] = rarity

log WinnerPicked(recent_winner)

ERC721._mint(recent_winner, ERC721._total_supply())

@> send(recent_winner, self.balance)

Impact

The winner will not receive the funds.
If Maximum players are smart contracts without a receive() or fallback() function, the funds will be locked in the contract and no one will be able to play the game again

Tools Used

manual review

Recommendations

we can change the nature of protocol to prevent this issue, by converting smart contract to pull model instead of push model by making the winner to claim the funds instead of sending the funds to the winner.
we can also add a check in enter_raffle function to check if the player is a smart contract or not, if it is a smart contract then we can prevent the player from entering the raffle.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Winner can be a contract that refuses ETH and brinks the whole contract + reverts on Chainlink VRF

Rewards breakdown

nSLOC

136

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.