Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Using Push-Over-Pull, Causing Winner Selection Can Be Permanently Blocked

quangviet910

Root + Impact

Description

  • The `selectWinner()` function in `PuppyRaffle.sol:149-150` requires the prize transfer to succeed.

  • If the winner is a contract that reverts on ETH receipt, the function reverts.

raffleStartTime = block.timestamp;
previousWinner = winner;
(bool success,) = winner.call{value: prizePool}("");
require(success, "PuppyRaffle: Failed to send prize pool to winner"); @> if winner cannot receive ETH, the function reverts
_safeMint(winner, tokenId);

Risk

Likelihood:

  • A malicious user enters the raffle with a contract address that has a `receive()` function that always reverts. When this contract is selected as the winner, `selectWinner()` permanently reverts.

Impact:

  • The raffle becomes permanently stuck. No winner can be selected, no NFT can be minted, and all player funds are locked in the contract forever.

Proof of Concept

If below contract is the winner, this vulnerability will be triggered.

contract SelectWinnerBlocker {
receive() external payable {
revert("I don't want your ETH");
}
}

Recommended Mitigation

Use the pull-over-push pattern where winners claim their prize.

+mapping(address => uint256) public pendingWithdrawals;
function selectWinner() external {
- (bool success,) = winner.call{value: prizePool}("");
- require(success, "PuppyRaffle: Failed to send prize pool to winner");
+ pendingWithdrawals[winner] = prizePool;
_safeMint(winner, tokenId);
}
+function claimPrize() external {
+ uint256 amount = pendingWithdrawals[msg.sender];
+ require(amount > 0, "No prize to claim");
+ pendingWithdrawals[msg.sender] = 0;
+ (bool success,) = msg.sender.call{value: amount}("");
+ require(success, "Transfer failed");
+}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 24 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-03] Impossible to win raffle if the winner is a smart contract without a fallback function

## Description If a player submits a smart contract as a player, and if it doesn't implement the `receive()` or `fallback()` function, the call use to send the funds to the winner will fail to execute, compromising the functionality of the protocol. ## Vulnerability Details The vulnerability comes from the way that are programmed smart contracts, if the smart contract doesn't implement a `receive() payable` or `fallback() payable` functions, it is not possible to send ether to the program. ## Impact High - Medium: The protocol won't be able to select a winner but players will be able to withdraw funds with the `refund()` function ## Recommendations Restrict access to the raffle to only EOAs (Externally Owned Accounts), by checking if the passed address in enterRaffle is a smart contract, if it is we revert the transaction. We can easily implement this check into the function because of the Adress library from OppenZeppelin. I'll add this replace `enterRaffle()` with these lines of code: ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { require(Address.isContract(newPlayers[i]) == false, "The players need to be EOAs"); players.push(newPlayers[i]); } // Check for duplicates for (uint256 i = 0; i < players.length - 1; i++) { for (uint256 j = i + 1; j < players.length; j++) { require(players[i] != players[j], "PuppyRaffle: Duplicate player"); } } emit RaffleEnter(newPlayers); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!