totalFees is a uint64 incremented under Solidity 0.7.6 (no overflow checks) with an unchecked uint64(fee) cast, so accumulated fees silently overflow/truncate
totalFees overflows and truncates due to uint64 math under Solidity ^0.7.6
Description
totalFees is declared uint64 (src/PuppyRaffle.sol:30) and selectWinner accumulates fees with totalFees = totalFees + uint64(fee) (line 134). Under pragma solidity ^0.7.6 (line 2) arithmetic does NOT revert on overflow, and the uint64(fee) cast silently truncates any fee above 2^64 - 1 wei (~18.4 ETH).
Risk
Likelihood:
Medium. A single large raffle (fee > ~18.4 ETH) truncates immediately; otherwise fees accumulate across rounds until the uint64 sum wraps. Both are reachable through normal protocol operation given enough volume, with no attacker interaction required.
Impact:
Medium. totalFees no longer reflects the ETH actually held, corrupting fee accounting. The under-counted value breaks withdrawFees (line 158), which requires address(this).balance == uint256(totalFees); that equality can no longer hold, permanently locking fees in the contract.
Proof of Concept
Accumulating fees past the uint64 ceiling makes totalFees wrap below the real balance.
Recommended Mitigation
Use uint256 for fees (Solidity 0.8+ adds built-in overflow checks; on 0.7.x use SafeMath).
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.