Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-03] totalFees uint64 overflow silently zeroes accumulated fees

sharonkosgei4

Root + Impact

Description

  • totalFees accumulates protocol fees each round. Because it is typed as uint64 a Solidity 0.7.6, which has no built-in overflow protection, the counter wraps to zero once it surpasses ~18.4 ETH.

  • The owner then withdraws far less than the actual fees earned.

@> uint64 public totalFees = 0;
// Inside selectWinner():
@> totalFees = totalFees + uint64(fee); // explicit narrowing cast + no overflow check

Risk

Likelihood:

  • With entranceFee = 1 ETH and 100 players, a single round produces a fee of 20 ETH, which already exceeds uint64 max on the very first call

  • Any raffle with a prize pool larger than ~92 ETH triggers overflow

Impact:

  • The owner receives a fraction of the fees actually owed, potentially near zero after overflow

  • The loss is silent; no revert or event signals the corruption

Proof of Concept

With a standard entranceFee = 1 ETH and 100 players, the single-round fee already exceeds uint64 max, so totalFees is silently truncated from round one.

entranceFee = 1 ETH, 100 players
fee (uint256) = 100e18 * 20 / 100 = 20e18 wei
uint64 max = 18_446_744_073_709_551_615 (~18.4e18 wei)
uint64(20e18) = 1_553_255_926_290_448_384 ← silently truncated on round 1

Recommended Mitigation

Change totalFees to uint256 and remove the narrowing cast so fees accumulate without any ceiling or truncation.

- uint64 public totalFees = 0;
+ uint256 public totalFees = 0;
- totalFees = totalFees + uint64(fee);
+ totalFees = totalFees + fee;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-05] Typecasting from uint256 to uint64 in PuppyRaffle.selectWinner() May Lead to Overflow and Incorrect Fee Calculation

## Description ## Vulnerability Details The type conversion from uint256 to uint64 in the expression 'totalFees = totalFees + uint64(fee)' may potentially cause overflow problems if the 'fee' exceeds the maximum value that a uint64 can accommodate (2^64 - 1). ```javascript totalFees = totalFees + uint64(fee); ``` ## POC <details> <summary>Code</summary> ```javascript function testOverflow() public { uint256 initialBalance = address(puppyRaffle).balance; // This value is greater than the maximum value a uint64 can hold uint256 fee = 2**64; // Send ether to the contract (bool success, ) = address(puppyRaffle).call{value: fee}(""); assertTrue(success); uint256 finalBalance = address(puppyRaffle).balance; // Check if the contract's balance increased by the expected amount assertEq(finalBalance, initialBalance + fee); } ``` </details> In this test, assertTrue(success) checks if the ether was successfully sent to the contract, and assertEq(finalBalance, initialBalance + fee) checks if the contract's balance increased by the expected amount. If the balance didn't increase as expected, it could indicate an overflow. ## Impact This could consequently lead to inaccuracies in the computation of 'totalFees'. ## Recommendations To resolve this issue, you should change the data type of `totalFees` from `uint64` to `uint256`. This will prevent any potential overflow issues, as `uint256` can accommodate much larger numbers than `uint64`. Here's how you can do it: Change the declaration of `totalFees` from: ```javascript uint64 public totalFees = 0; ``` to: ```jasvascript uint256 public totalFees = 0; ``` And update the line where `totalFees` is updated from: ```diff - totalFees = totalFees + uint64(fee); + totalFees = totalFees + fee; ``` This way, you ensure that the data types are consistent and can handle the range of values that your contract may encounter.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!