withdrawFees() Can Be Permanently Bricked by Forced ETH
Root + Impact
Description
Normal behavior:
The protocol accumulates a 20% fee from each completed raffle round.
These fees are tracked in the totalFees state variable and are intended to be withdrawn by the protocol owner via the withdrawFees() function.
To ensure fees are not withdrawn while players are still active, the function enforces the following invariant:
This implicitly assumes that the entire ETH balance of the contract is always equal to totalFees once raffles are complete.
Issue:
This assumption is incorrect and unsafe.
In Ethereum, ETH can be forcefully sent to any contract without calling its functions, most commonly via selfdestruct.
When this happens:
-
address(this).balanceincreases -
totalFeesdoes not change -
The equality invariant becomes permanently false
Because the condition uses strict equality (==), even a single wei of forced ETH causes withdrawFees() to revert forever.
There is no recovery path in the contract to reconcile this mismatch.
Risk
Likelihood:
-
Reason 1: ETH can always be force-sent to a contract without calling any function.
-
Reason 2: No recovery mechanism exists to reconcile balance mismatches.
Impact:
-
Impact 1: The owner permanently loses access to collected protocol fees.
-
Impact 2: Fee accounting becomes irreversibly broken.
Proof of Concept
Steps:
-
Deploy
ForceSendwith 1 wei. -
Call
attack(address(PuppyRaffle)). -
Contract balance increases without updating
totalFees. -
withdrawFees()reverts forever.
Recommended Mitigation
Relax the equality constraint or decouple fee accounting from raw balance checks:
Or decouple fee accounting entirely from address(this).balance.
Lead Judging Commences
[M-02] Slightly increasing puppyraffle's contract balance will render `withdrawFees` function useless
## Description An attacker can slightly change the eth balance of the contract to break the `withdrawFees` function. ## Vulnerability Details The withdraw function contains the following check: ``` require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); ``` Using `address(this).balance` in this way invites attackers to modify said balance in order to make this check fail. This can be easily done as follows: Add this contract above `PuppyRaffleTest`: ``` contract Kill { constructor (address target) payable { address payable _target = payable(target); selfdestruct(_target); } } ``` Modify `setUp` as follows: ``` function setUp() public { puppyRaffle = new PuppyRaffle( entranceFee, feeAddress, duration ); address mAlice = makeAddr("mAlice"); vm.deal(mAlice, 1 ether); vm.startPrank(mAlice); Kill kill = new Kill{value: 0.01 ether}(address(puppyRaffle)); vm.stopPrank(); } ``` Now run `testWithdrawFees()` - ` forge test --mt testWithdrawFees` to get: ``` Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: PuppyRaffle: There are currently players active!] testWithdrawFees() (gas: 361718) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 3.40ms ``` Any small amount sent over by a self destructing contract will make `withdrawFees` function unusable, leaving no other way of taking the fees out of the contract. ## Impact All fees that weren't withdrawn and all future fees are stuck in the contract. ## Recommendations Avoid using `address(this).balance` in this way as it can easily be changed by an attacker. Properly track the `totalFees` and withdraw it. ```diff function withdrawFees() external { -- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); uint256 feesToWithdraw = totalFees; totalFees = 0; (bool success,) = feeAddress.call{value: feesToWithdraw}(""); require(success, "PuppyRaffle: Failed to withdraw fees"); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.