selectWinner pushes the prize to winner.call before minting; a winner contract that rejects ETH permanently bricks winner selection and the raffle
A winner that reverts on payment bricks selectWinner and soft-locks the raffle
Description
PuppyRaffle::selectWinner (src/PuppyRaffle.sol:151-153) pushes the prize with winner.call{value: prizePool}("") and require(success) before minting the NFT. If the selected winner is a contract that reverts on receiving ETH (or later reverts in onERC721Received during _safeMint), the whole call reverts every time that address is picked.
Risk
Likelihood:
Low. It requires the pseudo-random winnerIndex to land on an address that rejects ETH or the safe-mint callback. This can happen by chance, or be forced by an attacker who combines this with the predictable-randomness flaw to ensure a reverting contract is selected.
Impact:
High. Each selectWinner attempt reverts, so the round cannot complete. Because players is already deleted at line 148 within the reverted (and thus rolled-back) call, repeated attempts keep failing and the raffle is effectively soft-locked, freezing the prize pool until/unless a non-reverting winner can ever be drawn.
Proof of Concept
A winner contract with a reverting receive() makes selectWinner revert whenever it is chosen.
Recommended Mitigation
Mint independently of the transfer and use a pull-payment so a hostile winner cannot block the round.
Lead Judging Commences
[M-03] Impossible to win raffle if the winner is a smart contract without a fallback function
## Description If a player submits a smart contract as a player, and if it doesn't implement the `receive()` or `fallback()` function, the call use to send the funds to the winner will fail to execute, compromising the functionality of the protocol. ## Vulnerability Details The vulnerability comes from the way that are programmed smart contracts, if the smart contract doesn't implement a `receive() payable` or `fallback() payable` functions, it is not possible to send ether to the program. ## Impact High - Medium: The protocol won't be able to select a winner but players will be able to withdraw funds with the `refund()` function ## Recommendations Restrict access to the raffle to only EOAs (Externally Owned Accounts), by checking if the passed address in enterRaffle is a smart contract, if it is we revert the transaction. We can easily implement this check into the function because of the Adress library from OppenZeppelin. I'll add this replace `enterRaffle()` with these lines of code: ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { require(Address.isContract(newPlayers[i]) == false, "The players need to be EOAs"); players.push(newPlayers[i]); } // Check for duplicates for (uint256 i = 0; i < players.length - 1; i++) { for (uint256 j = i + 1; j < players.length; j++) { require(players[i] != players[j], "PuppyRaffle: Duplicate player"); } } emit RaffleEnter(newPlayers); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.