[H-5] Incorrect Fee and Prize Calculation Using players.length After Refunds
[H-5] Incorrect Fee and Prize Calculation Using players.length After Refunds
Title: Incorrect Fee and Prize Calculation Using players.length After Refunds
Impact: High
Likelihood: Medium
Description
-
The
selectWinnerfunction calculates the total collected amount and distributes 80% to the winner and 20% as fees. This calculation should reflect the actual number of active, non-refunded players who have paid entrance fees. -
The calculation multiplies
players.lengthbyentranceFeeto determine the total amount collected. However, when a player callsrefund, their slot is set toaddress(0)but remains in the array, meaningplayers.lengthdoes not decrease. This causes the contract to calculate fees and prize amounts based on the original array size rather than the actual number of active participants who still have funds in the contract.
Risk
Likelihood:
-
Any player can call
refundto withdraw their entrance fee, creating a gap between the actual contract balance and the calculatedtotalAmountCollected. Every time a player refunds, the discrepancy grows by oneentranceFee. -
The issue manifests every time
selectWinneris called after one or more refunds have occurred. No special attacker action is needed beyond normal user behavior — any participant who requests a refund triggers the miscalculation.
Impact:
-
The
prizePoolvalue is calculated based on the inflatedtotalAmountCollected, meaning the winner may receive ETH that was never actually deposited by active players. This effectively redistributes funds from other legitimate participants or the fee pool to the winner unfairly. -
The
totalFeescounter accumulates an inflated value based onplayers.length, which meanswithdrawFeesmay attempt to withdraw more fees than the contract actually holds. ThewithdrawFeesfunction has a guard (require(address(this).balance == uint256(totalFees))), but because the balance is lower thantotalFees, the owner will be permanently unable to withdraw accumulated fees.
Proof of Concept
This PoC demonstrates the cascading failure caused by the miscalculation. After one player refunds, the contract holds 3 ETH but players.length remains 4. When selectWinner calculates the prize pool as 80% of 4 ETH (3.2 ETH), it exceeds the actual contract balance of 3 ETH. The winner.call{value: prizePool} either reverts (blocking the entire raffle) or succeeds with a lower amount due to address(this).balance being insufficient. Meanwhile, totalFees is set to 0.8 ETH, but since withdrawFees requires address(this).balance == totalFees, the owner can never withdraw because the balances no longer match.
Recommended Mitigation
Using address(this).balance instead of players.length * entranceFee ensures the fee and prize calculations are based on the actual ETH held by the contract. After refunds are paid out, the remaining balance accurately represents the distributable funds. This also fixes the withdrawFees guard condition, since totalFees will now match the actual contract balance after a successful selectWinner call.
Lead Judging Commences
[H-04] `PuppyRaffle::refund` replaces an index with address(0) which can cause the function `PuppyRaffle::selectWinner` to always revert
## Description `PuppyRaffle::refund` is supposed to refund a player and remove him from the current players. But instead, it replaces his index value with address(0) which is considered a valid value by solidity. This can cause a lot issues because the players array length is unchanged and address(0) is now considered a player. ## Vulnerability Details ```javascript players[playerIndex] = address(0); @> uint256 totalAmountCollected = players.length * entranceFee; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); _safeMint(winner, tokenId); ``` If a player refunds his position, the function `PuppyRaffle::selectWinner` will always revert. Because more than likely the following call will not work because the `prizePool` is based on a amount calculated by considering that that no player has refunded his position and exit the lottery. And it will try to send more tokens that what the contract has : ```javascript uint256 totalAmountCollected = players.length * entranceFee; uint256 prizePool = (totalAmountCollected * 80) / 100; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); ``` However, even if this calls passes for some reason (maby there are more native tokens that what the players have sent or because of the 80% ...). The call will thankfully still fail because of the following line is minting to the zero address is not allowed. ```javascript _safeMint(winner, tokenId); ``` ## Impact The lottery is stoped, any call to the function `PuppyRaffle::selectWinner`will revert. There is no actual loss of funds for users as they can always refund and get their tokens back. However, the protocol is shut down and will lose all it's customers. A core functionality is exposed. Impact is high ### Proof of concept To execute this test : forge test --mt testWinnerSelectionRevertsAfterExit -vvvv ```javascript function testWinnerSelectionRevertsAfterExit() public playersEntered { vm.warp(block.timestamp + duration + 1); vm.roll(block.number + 1); // There are four winners. Winner is last slot vm.prank(playerFour); puppyRaffle.refund(3); // reverts because out of Funds vm.expectRevert(); puppyRaffle.selectWinner(); vm.deal(address(puppyRaffle), 10 ether); vm.expectRevert("ERC721: mint to the zero address"); puppyRaffle.selectWinner(); } ``` ## Recommendations Delete the player index that has refunded. ```diff - players[playerIndex] = address(0); + players[playerIndex] = players[players.length - 1]; + players.pop() ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.