selectWinner, freezing the prize and blocking settlementSeverity: Medium
selectWinner pushes the prize to the winner with a low-level call and requires success, then mints the NFT with _safeMint.
When the selected winner is a contract that reverts on ETH receipt (or does not implement onERC721Received), the push fails and the entire selectWinner reverts. Since the winner index is deterministic for a given block state (see H-2), the draw is stuck for that state and a griefer can arrange to be the reverting winner.
Likelihood:
Occurs whenever the selected winner is a contract whose receive/fallback reverts on value transfer; combined with the predictable RNG, a griefer can ensure that block resolves to their reverting contract.
Occurs equally through _safeMint when the winning contract does not implement onERC721Received.
Impact:
selectWinner reverts, so the raffle cannot be settled for that draw and the prize pool is frozen in the contract.
Save as test/NonReceivingWinnerPoC.t.sol and run forge test --mt testNonReceivingWinnerBricksDraw. A RevertOnReceive contract enters and, when selected as winner, selectWinner reverts.
Use a pull-payment pattern: record the winner's prize and let them withdraw it in a separate call, so a single non-receiving winner cannot block the draw.
Consider _mint semantics as well so NFT delivery cannot block settlement.
## Description If a player submits a smart contract as a player, and if it doesn't implement the `receive()` or `fallback()` function, the call use to send the funds to the winner will fail to execute, compromising the functionality of the protocol. ## Vulnerability Details The vulnerability comes from the way that are programmed smart contracts, if the smart contract doesn't implement a `receive() payable` or `fallback() payable` functions, it is not possible to send ether to the program. ## Impact High - Medium: The protocol won't be able to select a winner but players will be able to withdraw funds with the `refund()` function ## Recommendations Restrict access to the raffle to only EOAs (Externally Owned Accounts), by checking if the passed address in enterRaffle is a smart contract, if it is we revert the transaction. We can easily implement this check into the function because of the Adress library from OppenZeppelin. I'll add this replace `enterRaffle()` with these lines of code: ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { require(Address.isContract(newPlayers[i]) == false, "The players need to be EOAs"); players.push(newPlayers[i]); } // Check for duplicates for (uint256 i = 0; i < players.length - 1; i++) { for (uint256 j = i + 1; j < players.length; j++) { require(players[i] != players[j], "PuppyRaffle: Duplicate player"); } } emit RaffleEnter(newPlayers); } ```
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.