Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0x0x0xw3 - Raffle can be canceled even if minTicketsThreshold is reached #330

Closed
sherlock-admin4 opened this issue Aug 20, 2024 · 2 comments
Closed

0x0x0xw3 - Raffle can be canceled even if minTicketsThreshold is reached #330

sherlock-admin4 opened this issue Aug 20, 2024 · 2 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Aug 20, 2024
edited by WangSecurity
Loading

0x0x0xw3

Medium

Raffle can be canceled even if minTicketsThreshold is reached

Summary

WinnablesTicketManager::cancelRaffle will allow anyone to cancel a raffle even if minTicketsThreshold is reached due to a bad comparission in WinnablesTicketManager::_checkShouldCancel

Vulnerability Detail

The vulnerability reside in WinnablesTicketManager::_checkShouldCancel (called by WinnablesTicketManager::cancelRaffle).
This function returns that a raffle cannot be canceled if ticket's supply is greater than raffle.minTicketsThreshold, but if ticket's supply is equal to minTicketsThreshold it allows to be canceled.
This is because it doesnt take into account where the minTicketsThreshold is reached due to a bad comparission:

function _checkShouldCancel(uint256 raffleId) internal view {
    Raffle storage raffle = _raffles[raffleId];
    //...snippet
    if (supply > raffle.minTicketsThreshold) revert TargetTicketsReached(); // <- bad comparission
}

So if raffle ends with minTicketsThreshold reached, still can be canceled by anyone breaking invariant defined in IWinnables's Raffle struct.

Impact

Invariant breakage about raffle conditionals
DoS when raffle reaches minTicketsThreshold

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/81b28633d0f450e33a8b32976e17122418f5d47e/public-contracts/contracts/WinnablesTicketManager.sol#L434-L441

Tool used

Manual Review

Recommendation

Change comparator in WinnablesTicketManager::_checkShouldCancel to greater or equal:

function _checkShouldCancel(uint256 raffleId) internal view {
    Raffle storage raffle = _raffles[raffleId];
    if (raffle.status == RaffleStatus.PRIZE_LOCKED) return;
    if (raffle.status != RaffleStatus.IDLE) revert InvalidRaffle();
    if (raffle.endsAt > block.timestamp) revert RaffleIsStillOpen();
    uint256 supply = IWinnablesTicket(TICKETS_CONTRACT).supplyOf(raffleId);
    if (supply >= raffle.minTicketsThreshold) revert TargetTicketsReached();  //<- changed
}

Duplicate of #26
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Aug 29, 2024
@sherlock-admin3 sherlock-admin3 changed the title Large Myrtle Okapi - Raffle can be canceled even if minTicketsThreshold is reached 0x0x0xw3 - Raffle can be canceled even if minTicketsThreshold is reached Sep 4, 2024
@sherlock-admin3 sherlock-admin3 added the Non-Reward This issue will not receive a payout label Sep 4, 2024
@0xweb333 0xweb333 mentioned this issue Sep 4, 2024
Open
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Sep 10, 2024
@WangSecurity
Copy link

This will be duplicated with #26 and validated with Medium severity.

@WangSecurity WangSecurity added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Sep 20, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Sep 20, 2024
@sherlock-admin2
Copy link

The protocol team fixed this issue in the following PRs/commits:
Winnables/public-contracts#23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4