Withdrawals from `Dussehra::withdraw` and `Dussehra::killRavana` functionality are blocked when `selectedRam` is set by calling `ChoosingRam::increaseValuesOfParticipants`
Description:
When OnlyRam (a.k.a. the winning user) has been previously set selectedRam by calling ChoosingRam::increaseValuesOfParticipants, tries to kills Ravana (calling Dussehra::killRavana) and then calls Dussehra::withdraw function to collect his prize, the both functions will revert due to RamIsSelected modifier not passing the stated requirement.
Impact:
Calling Dussehra::killRavana by anyone is impossible and also withdrawals by OnlyRam when he is set selectedRam by calling ChoosingRam::increaseValuesOfParticipants, which is the primary way of picking a competitor for the prize.
This could lead to major problems -i.e. no allocation functionality of the Organiser`s or the winner prize which leads to locked funds in the contract.
Proof of Concept:
Paste the following code in the Dussehra.t.sol and initiate forge test --mt test_withdrawWhenSetRamOwn -vvvvv to see reason for revert: Ram is not selected yet!
Recommended Mitigation:
Although there is a way of changing the isRamSelected bool to true by the Organiser calling ChoosingRam::selectRamIfNotSelected function, this is not the primary way of setting selectedRam. As per the specs, this should be done ONLY IF not selected by the user.
Consider adding a line of code that changes the isRamSelected bool to true in ChoosingRam::increaseValuesOfParticipants
Tools Used
Manual review, Foundry
Lead Judging Commences
`isRamSelected` is not set
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.