Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shikhar - _checkShouldCancel doesn't revert for the case when tickets sold are equal to minimum ticket threshold due to insufficient check. #270

Closed
sherlock-admin4 opened this issue Aug 20, 2024 · 2 comments
Closed

shikhar - _checkShouldCancel doesn't revert for the case when tickets sold are equal to minimum ticket threshold due to insufficient check. #270

sherlock-admin4 opened this issue Aug 20, 2024 · 2 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Aug 20, 2024
edited by sherlock-admin3
Loading

shikhar

Medium

_checkShouldCancel doesn't revert for the case when tickets sold are equal to minimum ticket threshold due to insufficient check.

Summary

  • The _checkShouldCancel simply returns to the caller function if Raffle is to be cancelled otherwise it reverts.
  • It was expected that it should also revert, if tickets sold are exactly equal to minimum threshold or more than threshold.
  • But it doesn't revert when tickets sold are exactly equal to minimum ticket threshold due to incorrect check.
  • As a result of which even if the supply reaches minimum ticket threshold, the Raffle is cancellable and a malicious user can call cancelRaffle function. Thus, leaving an eligible Raffle into a cancelled Raffle and the lucky participant will not get the prize.

Vulnerability Detail

  • The vulnerability is present in the _checkShouldCancel function where it doesn't revert for the case when supply is exactly minimum ticket threshold (when Raffle end time has reached).
  • This occurs due to the below check (represented by @>). Here, it only reverts if supply is more than minimum threshold, but it is also expected to revert when supply is exactly minimum tickets threshold.
    function _checkShouldCancel(uint256 raffleId) internal view {
        Raffle storage raffle = _raffles[raffleId];
        if (raffle.status == RaffleStatus.PRIZE_LOCKED) return;
        if (raffle.status != RaffleStatus.IDLE) revert InvalidRaffle();
        if (raffle.endsAt > block.timestamp) revert RaffleIsStillOpen();
        uint256 supply = IWinnablesTicket(TICKETS_CONTRACT).supplyOf(raffleId);
@>      if (supply > raffle.minTicketsThreshold) revert TargetTicketsReached();
    }
  • As a result of this incorrect check, it doesn't revert and simple returns which means that the calling function can continue with cancellation for the above discussed case.
  • Thus, resulting in a cancellation of Raffle which was eligible of drawing a winner and would be left without a winner.

Impact

  • Raffles can be cancelled by malicious user for the case when supply is exactly minimum tickets thresholds, resulting in Raffle cancellation and no winner chosen.

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesTicketManager.sol#L440

Tool used

Manual Review

Recommendation

Correct the check as below:

    function _checkShouldCancel(uint256 raffleId) internal view {
        Raffle storage raffle = _raffles[raffleId];
        if (raffle.status == RaffleStatus.PRIZE_LOCKED) return;
        if (raffle.status != RaffleStatus.IDLE) revert InvalidRaffle();
        if (raffle.endsAt > block.timestamp) revert RaffleIsStillOpen();
        uint256 supply = IWinnablesTicket(TICKETS_CONTRACT).supplyOf(raffleId);
-       if (supply > raffle.minTicketsThreshold) revert TargetTicketsReached();
+       if (supply >= raffle.minTicketsThreshold) revert TargetTicketsReached();
    }
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Aug 29, 2024
@sherlock-admin3 sherlock-admin3 changed the title Funny Pickle Grasshopper - _checkShouldCancel doesn't revert for the case when tickets sold are equal to minimum ticket threshold due to insufficient check. shikhar - _checkShouldCancel doesn't revert for the case when tickets sold are equal to minimum ticket threshold due to insufficient check. Sep 4, 2024
@sherlock-admin3 sherlock-admin3 added Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Sep 4, 2024
@shikhar229169 shikhar229169 mentioned this issue Sep 21, 2024
Open
@shikhar229169
Copy link

This finding is a dup of #26

@sherlock-admin2
Copy link

The protocol team fixed this issue in the following PRs/commits:
Winnables/public-contracts#23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shikhar229169 @sherlock-admin2 @sherlock-admin3 @sherlock-admin4