First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Funds could be stuck in the smart contract Dussehra after the end of the event

azanux

Summary

It is possible to call enterPeopleWhoLikeRam and send ETH to the contract even after the event and Ravana's kill. The funds could be stuck in the smart contract.

Vulnerability Details

It is possible to call enterPeopleWhoLikeRam and send ETH to the contract even after the event and Ravana's kill. The funds could be stuck in the smart contract if the winner withdraws his reward before they send ETH to the contract.

Impact

Users could lose their funds if they call enterPeopleWhoLikeRam after the end of the event (13 Oct 2024) or if Ravana already killed

Tools Used

Manual review.

Recommendations

Add a check in the function to prevent users from calling enterPeopleWhoLikeRam when Ravana is already killed:

function enterPeopleWhoLikeRam() public payable {
// People can enter even if the Ram is already selected, they will lose their funds
if (msg.value != entranceFee) {
revert Dussehra__NotEqualToEntranceFee();
}
if (peopleLikeRam[msg.sender] == true) {
revert Dussehra__AlreadyPresent();
}
+ require(!IsRavanKilled, "Ravan is already killed");
peopleLikeRam[msg.sender] = true;
WantToBeLikeRam.push(msg.sender);
ramNFT.mintRamNFT(msg.sender);
emit PeopleWhoLikeRamIsEntered(msg.sender);
}
Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Invalid - enter people after event or after Ram is selected

It is the user's responsibility to check the date of the event.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.