Fee Withdrawal Permanently Blocked by Strict Balance Check
Root + Impact
Description
The withdrawFees() function requires the contract balance to exactly equal totalFees. Any ETH sent to the contract outside of the normal flow (e.g., via selfdestruct or while players are active) permanently breaks this equality, making fees unwithdrawable forever.
The withdrawal logic uses strict equality:
This assumes the contract balance only ever contains protocol fees and nothing else. In practice, this assumption is fragile:
Forced ETH transfers. Anyone can force ETH into the contract via selfdestruct from another contract
Active player funds. If players are active, their entrance fees inflate the balance above
totalFeesRounding errors. Any accounting mismatch (like from the downcasting issue) permanently breaks the equality
Risk
Likelihood:
High probability of occurrence and results in permanent fund lock.
Impact:
Once the balance diverges from totalFees, the owner can never withdraw accumulated fees. This is particularly problematic because:
Forced ETH transfers are trivial and unavoidable on Ethereum
There's no recovery mechanism
All future fees become permanently locked
Proof of Concept
An attacker can lock fees with a single transaction:
This sends 1 wei to the raffle contract without triggering any functions. Now address(this).balance != totalFees, and the equality check fails forever.
Recommended Mitigation
Track player funds separately from protocol fees, or simply allow withdrawing the known fee amount:
This removes the strict equality requirement while still ensuring fees are available for withdrawal.
Lead Judging Commences
[M-02] Slightly increasing puppyraffle's contract balance will render `withdrawFees` function useless
## Description An attacker can slightly change the eth balance of the contract to break the `withdrawFees` function. ## Vulnerability Details The withdraw function contains the following check: ``` require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); ``` Using `address(this).balance` in this way invites attackers to modify said balance in order to make this check fail. This can be easily done as follows: Add this contract above `PuppyRaffleTest`: ``` contract Kill { constructor (address target) payable { address payable _target = payable(target); selfdestruct(_target); } } ``` Modify `setUp` as follows: ``` function setUp() public { puppyRaffle = new PuppyRaffle( entranceFee, feeAddress, duration ); address mAlice = makeAddr("mAlice"); vm.deal(mAlice, 1 ether); vm.startPrank(mAlice); Kill kill = new Kill{value: 0.01 ether}(address(puppyRaffle)); vm.stopPrank(); } ``` Now run `testWithdrawFees()` - ` forge test --mt testWithdrawFees` to get: ``` Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: PuppyRaffle: There are currently players active!] testWithdrawFees() (gas: 361718) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 3.40ms ``` Any small amount sent over by a self destructing contract will make `withdrawFees` function unusable, leaving no other way of taking the fees out of the contract. ## Impact All fees that weren't withdrawn and all future fees are stuck in the contract. ## Recommendations Avoid using `address(this).balance` in this way as it can easily be changed by an attacker. Properly track the `totalFees` and withdraw it. ```diff function withdrawFees() external { -- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); uint256 feesToWithdraw = totalFees; totalFees = 0; (bool success,) = feeAddress.call{value: feesToWithdraw}(""); require(success, "PuppyRaffle: Failed to withdraw fees"); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.