First Flight #11: Snek-Raffle

First Flight #11

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

After one day, a player can enter the raffle and automatically win

n0kto

Description

To end, Snek Raffle needs to last at least 1 day, have one player, and be open. The problem arises if no one plays the raffle and waits for the end of the duration. In such a scenario, a player can directly enter the raffle and call request_raffle_winner to be sure to win.

def request_raffle_winner() -> uint256:

"""Request a random winner from the VRF Coordinator after a raffle has completed."""

is_open: bool = RaffleState.OPEN == self.raffle_state

@> time_passed: bool = (block.timestamp - self.last_timestamp) > RAFFLE_DURATION

@> has_players: bool = len(self.players) > 0

has_balance: bool = self.balance > 0

assert is_open and time_passed and has_players and has_balance, ERROR_NOT_ENDED

self.raffle_state = RaffleState.CALCULATING

request_id: uint256 = VRF_COORDINATOR.requestRandomWords(

# c gas lane dans chainlink permet de definir du premium

GAS_LANE,

SUBSCRIPTION_ID,

REQUEST_CONFIRMATIONS,

CALLBACK_GAS_LIMIT,

NUM_WORDS

)

return ERC721._total_supply()

Risk

Likelyhood: Low/Medium

After one day without any person participating the raffle.

Impact: High

A player will be sure to win.

Proof of Concept

PoC to add in `snek_raffle_test.py`

def test_instant_win_after_one_day(

raffle_boa, vrf_coordinator_boa, entrance_fee

boa.env.time_travel(seconds=INTERVAL + 1)

boa.env.set_balance(USER, STARTING_BALANCE)

with boa.env.prank(USER):

raffle_boa.enter_raffle(value=entrance_fee)

raffle_boa.request_raffle_winner()

vrf_coordinator_boa.fulfillRandomWords(0, raffle_boa.address)

recent_winner = raffle_boa.get_recent_winner()

winner_balance = boa.env.get_balance(recent_winner)

assert recent_winner == USER

assert winner_balance == entrance_fee

Recommended Mitigation

Begin the delay once the first user enters the raffle.
Alternatively, increase the minimum number of players required to end the raffle.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

136

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.