50949 sc insight no check if raffle actually has enough funds
Submitted on Jul 29th 2025 at 22:19:06 UTC by @PotEater for Attackathon | Plume Network
Report ID: #50949
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Raffle.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Description
Brief/Intro
In the Raffle.sol contract, in the function addPrize, there is no check that the raffle actually has enough funds to cover the prize.
Vulnerability Details
The function addPrize is used to add a new prize to the raffle system. However, there is no check that the contract actually has enough to cover the prize and can afford to offer such a prize.
Code snippet:
function addPrize(
string calldata name,
string calldata description,
uint256 value,
uint256 quantity
) external onlyRole(ADMIN_ROLE) {
uint256 prizeId = nextPrizeId++;
prizeIds.push(prizeId);
require(bytes(prizes[prizeId].name).length == 0, "Prize ID already in use");
require(quantity > 0, "Quantity must be greater than 0");
prizes[prizeId] = Prize({
name: name,
description: description,
value: value,
endTimestamp: 0,
isActive: true,
winner: address(0), // deprecated
winnerIndex: 0, // deprecated
claimed: false, // deprecated
quantity: quantity
});
emit PrizeAdded(prizeId, name);
}This function should implement a check that ensures admin doesn't mistakenly set the prize to some large value that the contract cannot afford to offer.
Impact Details
Mistakenly or intentionally setting the prize to a value that the contract cannot afford to offer would result in the contract failing to deliver the promised payout: when a user tries to claim the prize, the transaction would revert due to insufficient funds. This effectively prevents users from receiving their winnings.
References
https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/spin/Raffle.sol#L128
Proof of Concept
Was this helpful?