First Flight #11: Snek-Raffle

First Flight #11

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

If the caller calls the `enter_raffle` function with more `msg.value` than the `ENTRANCE_FEE`, the caller will receive incorrect error message

bube

Summary

The error when the user send more than the ENTRANCE_FEE when calling the enter_raffle function is confusing.

Vulnerability Details

The enter_raffle function requires a caller to send a given amount of fee in order to participate in the raffle.

def enter_raffle():

"""Enter the raffle by sending the entrance fee."""

@> assert msg.value == ENTRANCE_FEE, ERROR_SEND_MORE_TO_ENTER_RAFFLE

assert self.raffle_state == RaffleState.OPEN, ERROR_RAFFLE_NOT_OPEN

self.players.append(msg.sender)

log RaffleEntered(msg.sender)

There is a check if the msg.value is equal to the ENTRANCE_FEE. If the send amount is different from the ENTRANCE_FEE, the function reverts with error: ERROR_SEND_MORE_TO_ENTER_RAFFLE.
But the function will also revert if the msg.value is greater than the ``ENTRANCE_FEE`.

Impact

The following test case shows that the USER sends more than the ENTRANCE_FEE when calls enter_raffle function and the function reverts. The USER receives the error: ERROR_SEND_MORE_TO_ENTER_RAFFLE. But this error message in that case is inappropriate. If the USER calls again the function with more msg.value, the result will be the same. This leads to confusion for the USER.
You can add the test to the snek_raffle_test.py and execute it using the command pytest -k 'test_raffle_reverts_when_you_pay_more'.

def test_raffle_reverts_when_you_pay_more(raffle_boa, entrance_fee):

boa.env.set_balance(USER, STARTING_BALANCE + 1)

with boa.env.prank(USER):

with boa.reverts("SnekRaffle: Send more to enter raffle"):

raffle_boa.enter_raffle(value=entrance_fee + 1)

Tools Used

VS Code, pytest

Recommendations

Change the error message with something more appropriate for the both cases: when the user send less or more than the ENTRANCE_FEE.
For example:

...

- ERROR_SEND_MORE_TO_ENTER_RAFFLE: constant(String[100]) = "SnekRaffle: Send more to enter raffle"

+ ERROR_NOT_THE_CORRECT_AMOUNT: constant(String[100]) = "SnekRaffle: The msg.value is more or less than the required entrance fee"

....

def enter_raffle():

"""Enter the raffle by sending the entrance fee."""

+ assert msg.value == ENTRANCE_FEE, ERROR_NOT_THE_CORRECT_AMOUNT

- assert msg.value == ENTRANCE_FEE, ERROR_SEND_MORE_TO_ENTER_RAFFLE

assert self.raffle_state == RaffleState.OPEN, ERROR_RAFFLE_NOT_OPEN

self.players.append(msg.sender)

log RaffleEntered(msg.sender)

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

136

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.