totalFees is a uint64, used to store cumulative fees
since solidity 0.7 does not provide checked arithmetic. Once cumulative fees exceed 2^64 - 1, the value wraps. The contract balance retains the real amount, while totalFees contains the wrapped value, so the strict equality check in withdrawFees fails and fees become stuck.
Likelihood:
High. the total fees can exceed 2^64 - 1, when enough players enter the raffle and winner is selected using the selectWinner() function
Impact:
High. fees become stuck .
After the totalFees exceed 2^64 - 1 the contract balance retains the real amount, while totalFees contains the wrapped value, so the strict equality check in withdrawFees fails and fees become stuck.
The vulnerable line is:
totalFees should be a uint256, and the narrowing cast should be removed:
first, the uint256 should be used instead of uint64 to accomodate larger values
at line 30
and at line 134 the narrowing cast should be removed:
## Description ## Vulnerability Details The type conversion from uint256 to uint64 in the expression 'totalFees = totalFees + uint64(fee)' may potentially cause overflow problems if the 'fee' exceeds the maximum value that a uint64 can accommodate (2^64 - 1). ```javascript totalFees = totalFees + uint64(fee); ``` ## POC <details> <summary>Code</summary> ```javascript function testOverflow() public { uint256 initialBalance = address(puppyRaffle).balance; // This value is greater than the maximum value a uint64 can hold uint256 fee = 2**64; // Send ether to the contract (bool success, ) = address(puppyRaffle).call{value: fee}(""); assertTrue(success); uint256 finalBalance = address(puppyRaffle).balance; // Check if the contract's balance increased by the expected amount assertEq(finalBalance, initialBalance + fee); } ``` </details> In this test, assertTrue(success) checks if the ether was successfully sent to the contract, and assertEq(finalBalance, initialBalance + fee) checks if the contract's balance increased by the expected amount. If the balance didn't increase as expected, it could indicate an overflow. ## Impact This could consequently lead to inaccuracies in the computation of 'totalFees'. ## Recommendations To resolve this issue, you should change the data type of `totalFees` from `uint64` to `uint256`. This will prevent any potential overflow issues, as `uint256` can accommodate much larger numbers than `uint64`. Here's how you can do it: Change the declaration of `totalFees` from: ```javascript uint64 public totalFees = 0; ``` to: ```jasvascript uint256 public totalFees = 0; ``` And update the line where `totalFees` is updated from: ```diff - totalFees = totalFees + uint64(fee); + totalFees = totalFees + fee; ``` This way, you ensure that the data types are consistent and can handle the range of values that your contract may encounter.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.