Prize Calculation Skewed by Inactive (Refunded) Players
Root + Impact
Description
Normal behavior:
When a winner is selected, the prize amount should be derived solely from funds contributed by currently active, non-refunded players.
The players array is used as the canonical source of participant data, and its size is implicitly treated as the number of tickets sold.
Issue:
When a player calls refund(), their slot in the players array is set to address(0) but the array length is never reduced.
Later, selectWinner() calculates the prize using:
This calculation counts refunded (inactive) players, even though their ETH has already been returned.
As a result, the prize amount no longer reflects the real economic state of the raffle.
Risk
Likelihood:
-
Reason 1: Refunds are part of normal protocol usage.
-
Reason 2: Refunded
playersare never removed from the players array.
Impact:
-
Impact 1: Prize calculation becomes economically inaccurate.
-
Impact 2: Raffle outcomes deviate from intended fairness.
⚠️ No direct fund theft occurs, which is why this is LOW severity.
Proof of Concept
Scenario:
Result:
Prize math is skewed, but execution does not revert.
Recommended Mitigation
Track the number of active players explicitly, or remove refunded players from the array.
Or remove players using swap-and-pop on refund.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.