First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Possibility for both organizer and selected RAM to not be able to withdraw funds.

enchev

Summary

It's possible for funds to remain stucked in Dussehra contract if noone calls Dussehra::killRavana method.

Vulnerability Details

The function Dussehra::killRavana is meant to not revert only between 12th October 2024 00:00:00 and 13th October 2024 00:00:00.
But if noone calls the function in that time period even if ram is selected, then funds will remain stucked in the Dussehra contract - the organizer doesn't receive funds transfer and also the selected ram user cannot withdraw his/her reward because Dussehra::withdraw requires that the state variable Dussehra::IsRavanKilled is true.

Impact

Organiser cannot withdraw his/her funds, nor the selected ram the reward.

Tools Used

Manual Review

Proof of concept:

Add the following test case to Dussehra.t.sol:

function test_cannotKillRavanaAfterEventIsFinished() public participants {

vm.warp(1728777600 - 1);

vm.startPrank(organiser);

choosingRam.selectRamIfNotSelected();

vm.warp(1728777669 + 1);

vm.expectRevert(abi.encodeWithSelector(Dussehra.Dussehra__MahuratIsFinished.selector));

vm.startPrank(player2);

dussehra.killRavana();

vm.stopPrank();

vm.startPrank(player1);

vm.expectRevert("Ravan is not killed yet!");

dussehra.withdraw();

}

Run the following command: forge test --mt test_cannotKillRavanaAfterEventIsFinished

Recommendations

Add function to fix the issue in such scenario which:

is callable only by the organiser
sets Dussehra::IsRavanKilled to true.
transfers half of the funds to the organiser

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Invalid - `killRavana` is not called

The organizer is trusted and he/she will call the `killRavana` function.

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.