Submission Details
Impact:
Likelihood:
Strict equality donation attack prevents withdrawing accumulated fees
Description
The
withdrawFeesfunction strictly requires the contract's overall ETH balance to exactly equaltotalFees.Anyone can forcefully send ETH to a contract bypassing
receive()orenterRaffle()functions by utilizingselfdestruct.
// Root cause in the codebase with @> marks to highlight the relevant section
function withdrawFees() external {
@> require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
// ...
}
Risk
Likelihood:
High. An attacker only needs to sacrifice 1 wei to permanently trigger this lock.
Impact:
The
withdrawFeesfunction will always fail, permanently locking any legitimately collected protocol fees inside the contract.
Proof of Concept
// Demonstrated in `test_donationAttackWithdrawFees()` within `PuppyRaffleAudit.t.sol`
// Attacker calls: selfdestruct(payable(puppyRaffleAddress)) with 1 wei.
// This sets address(this).balance > totalFees making the require physically impossible to pass.
Recommended Mitigation
Check if the balance is strictly greater-than/equal-to, or track active players safely.
function withdrawFees() external {
- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
+ // Alternatively, check `players.length == 0` to verify players are not active
+ require(address(this).balance >= uint256(totalFees), "PuppyRaffle: Insufficient balance!");
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.