First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

DOS Vulnerability Due to Multiple Calls to `Dussehra::killRavana`

4rdiii

[H-3] DOS Vulnerability Due to Multiple Calls to Dussehra::killRavana

Description:
The killRavana function in the Dussehra contract can be invoked multiple times, either by design or due to unclear documentation. This repeated invocation leads to the organizer receiving the remaining rewards upon subsequent calls, thereby depleting the contract's balance. As a result, the intended recipient (Ram) is unable to withdraw their rewards due to insufficient funds in the contract.

Impact:
This vulnerability prevents the rightful winner from receiving their rewards, redirecting the funds to the organizer instead. This not only affects the fairness of the reward distribution but also introduces a potential denial-of-service (DoS) condition where the withdrawal functionality becomes unusable for the intended beneficiary.

Proof of Concept:
The following test case can be added to the existing test suite to demonstrate this vulnerability:

function test_CantWithdrawIfKilledTwice() public participants {
vm.warp(1728691200 + 1);
vm.startPrank(organiser);
choosingRam.selectRamIfNotSelected();
vm.stopPrank();
vm.startPrank(player2);
dussehra.killRavana();
dussehra.killRavana();
vm.stopPrank();
vm.startPrank(player2);
vm.expectRevert("Failed to send money to Ram");
dussehra.withdraw();
vm.stopPrank();
assertEq(address(dussehra).balance, 0);
assertEq(organiser.balance, 2e18);
}

Tools Used:
Manual Review
Recommended Mitigation:
To mitigate this vulnerability, it is advisable to add a check within the killRavana function to prevent it from being called more than once. This can be achieved by introducing a state variable that tracks whether Ravana has already been killed and reverting the transaction if an attempt is made to call the function again.
Here is the proposed modification to the killRavana function:

function killRavana() public RamIsSelected {
if (block.timestamp < 1728691069) {
//10/12/2024, 3:27:49 AM
revert Dussehra__MahuratIsNotStart();
}
if (block.timestamp > 1728777669) {
//10/13/2024, 3:31:09 AM
revert Dussehra__MahuratIsFinished();
}
+ if (IsRavanKilled) {
+ revert Dussehra__isAlreadyKilled();
+ }
IsRavanKilled = true;
uint256 totalAmountByThePeople = WantToBeLikeRam.length * entranceFee;
totalAmountGivenToRam = (totalAmountByThePeople * 50) / 100;
(bool success, ) = organiser.call{value: totalAmountGivenToRam}("");
require(success, "Failed to send money to organizer");
}
Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

isRavanKilled is not checked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.