Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

[M-02] Non-payable winner permanently bricks selectWinner()

sharonkosgei4

Root + Impact

Description

  • selectWinner() pushes ETH directly to the winner's address.

  • If the winner is a contract without a receive() or fallback() function, the call reverts, and because players[] and raffleStartTime are only reset after the send, the raffle is permanently stuck.

@> (bool success,) = winner.call{value: prizePool}("");
@> require(success, "PuppyRaffle: Failed to send prize pool to winner");

Risk

Likelihood:

  • Any smart contract entered as a player is a candidate it need not be malicious, just non-payable

  • A malicious actor deliberately enters with a reverting contract to grief the protocol

Impact:

  • selectWinner() cannot complete; the raffle is permanently frozen

  • All entrance fees are locked in the contract with no recovery path

Proof of Concept

A contract with no receive() enters the raffle; if selected as a winner, every subsequent selectWinner() call reverts on the ETH transfer, permanently freezing the raffle.

contract NonPayablePlayer {
// No receive() or fallback() — ETH transfers revert
function enter(IPuppyRaffle raffle, uint256 fee) external payable {
address[] memory p = new address[](1);
p[0] = address(this);
raffle.enterRaffle{value: fee}(p);
}
}
// If this contract is selected as winner, selectWinner() reverts on every call

Recommended Mitigation

Use a pull-payment pattern so the winner claims their prize rather than having it pushed.

+ mapping(address => uint256) public pendingPrizes;
function selectWinner() external {
// ... winner selection ...
- (bool success,) = winner.call{value: prizePool}("");
- require(success, "PuppyRaffle: Failed to send prize pool to winner");
+ pendingPrizes[winner] += prizePool;
_safeMint(winner, tokenId);
}
+ function claimPrize() external {
+ uint256 amount = pendingPrizes[msg.sender];
+ require(amount > 0, "Nothing to claim");
+ pendingPrizes[msg.sender] = 0;
+ payable(msg.sender).sendValue(amount);
+ }
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-03] Impossible to win raffle if the winner is a smart contract without a fallback function

## Description If a player submits a smart contract as a player, and if it doesn't implement the `receive()` or `fallback()` function, the call use to send the funds to the winner will fail to execute, compromising the functionality of the protocol. ## Vulnerability Details The vulnerability comes from the way that are programmed smart contracts, if the smart contract doesn't implement a `receive() payable` or `fallback() payable` functions, it is not possible to send ether to the program. ## Impact High - Medium: The protocol won't be able to select a winner but players will be able to withdraw funds with the `refund()` function ## Recommendations Restrict access to the raffle to only EOAs (Externally Owned Accounts), by checking if the passed address in enterRaffle is a smart contract, if it is we revert the transaction. We can easily implement this check into the function because of the Adress library from OppenZeppelin. I'll add this replace `enterRaffle()` with these lines of code: ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { require(Address.isContract(newPlayers[i]) == false, "The players need to be EOAs"); players.push(newPlayers[i]); } // Check for duplicates for (uint256 i = 0; i < players.length - 1; i++) { for (uint256 j = i + 1; j < players.length; j++) { require(players[i] != players[j], "PuppyRaffle: Duplicate player"); } } emit RaffleEnter(newPlayers); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!