Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

almurhasan - minTicketsThreshold check inconsistency in function _checkShouldDraw and function _checkShouldCancel. #475

Closed
sherlock-admin3 opened this issue Aug 20, 2024 · 2 comments
Closed

almurhasan - minTicketsThreshold check inconsistency in function _checkShouldDraw and function _checkShouldCancel. #475

sherlock-admin3 opened this issue Aug 20, 2024 · 2 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Aug 20, 2024
edited by WangSecurity
Loading

almurhasan

Medium

minTicketsThreshold check inconsistency in function _checkShouldDraw and function _checkShouldCancel.

Summary

currentTicketSold must be equal to/greater than minTicketsThreshold in function _checkShouldDraw but in function _checkShouldCancel, currentTicketSold must be equal to/less than minTicketsThreshold.so if currentTicketSold is reached to/equal to minTicketsThreshold, then cancelRaffle is still possible which is unfair.

Vulnerability Detail

  1. Let’s assume, the current raffleId is 1 and the raffleId’s minTicketsThreshold = 100.

  2. Now raffleId 1’s 100 tickets are sold. So currentTicketSold = 100.

  3. After That, no one buys raffleId 1’s tickets(i.e currentTicketSold is still 100) and raffle.endsAt is also reached(i.e current time is bigger than raffle.endsAt).

  4. Now function drawWinner is called which calls function _checkShouldDraw, see function _checkShouldDraw, as currentTicketSold is equal to minTicketsThreshold and current time is bigger than raffle.endsAt, so function drawWinner will be executed.

  5. If before calling function drawWinner, the function cancelRaffle is called which calls function _checkShouldCancel, the function cancelRaffle will be executed even though raffleId’s minTicketsThreshold is reached.

Impact

Attackers can frontrun the function cancelRaffle before function drawWinner when currentTicketSold is equal to minTicketsThreshold and current time is bigger than raffle.endsAt.

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesTicketManager.sol#L440

Tool used

Manual Review

Recommendation

Instead of if (supply > raffle.minTicketsThreshold) revert TargetTicketsReached();
Put this, if (supply >= raffle.minTicketsThreshold) revert TargetTicketsReached(); in function _checkShouldCancel.

Duplicate of #26
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Aug 29, 2024
@sherlock-admin3 sherlock-admin3 changed the title Rich Peach Kookaburra - minTicketsThreshold check inconsistency in function _checkShouldDraw and function _checkShouldCancel. almurhasan - minTicketsThreshold check inconsistency in function _checkShouldDraw and function _checkShouldCancel. Sep 4, 2024
@sherlock-admin3 sherlock-admin3 added the Non-Reward This issue will not receive a payout label Sep 4, 2024
@Almur100
Copy link

This is duplicate of #26

@Almur100 Almur100 mentioned this issue Sep 14, 2024
Open
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Sep 16, 2024
@WangSecurity WangSecurity added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Sep 20, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Sep 20, 2024
@sherlock-admin2
Copy link

The protocol team fixed this issue in the following PRs/commits:
Winnables/public-contracts#23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Almur100 @WangSecurity @sherlock-admin2 @sherlock-admin3