Reentrancy attack in `Dussehra::withdraw`
Summary
Reentrancy attack in Dussehra::withdraw allows the Rama to withdraw a bigger amount from the contract.
Vulnerability Details
CEI is not being followed in Dussehra::withdraw which allows the Ram to keep re-entering the function, while the contract has ETH.
Impact
This allows the Rama to withdraw all the remaining money from the contract, however, before the Rama would be able to withdraw their reward, they have to call killRavana which transfers half the contract's amount to the organizer. So if users don't keep calling enterPeopleWhoLikeRam even after the Rama has been killed, the Rama won't be able to get an extra amount.
Tools
Manual review
Recommendations
Update totalAmountGivenToRam before sending the ETH to the Rama
Lead Judging Commences
Invalid - reentrancy in withdraw
The `withdraw` function sends the given amount to Ram. If the attacker calls the `withdraw` function again before the state variable is changed, the function will revert because there are no more funds in the contract. This reentrancy has no impact for the protocol. It is recommended to follow the CEI pattern, but this is informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.