# 50949 sc insight no check if raffle actually has enough funds **Submitted on Jul 29th 2025 at 22:19:06 UTC by @PotEater for** [**Attackathon | Plume Network**](https://immunefi.com/audit-competition/plume-network-attackathon) * **Report ID:** #50949 * **Report Type:** Smart Contract * **Report severity:** Insight * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value ## Description ### Brief/Intro In the `Raffle.sol` contract, in the function `addPrize`, there is no check that the raffle actually has enough funds to cover the prize. ### Vulnerability Details The function `addPrize` is used to add a new prize to the raffle system. However, there is no check that the contract actually has enough to cover the prize and can afford to offer such a prize. Code snippet: {% code title="Raffle.sol (excerpt)" %} ``` ``` {% endcode %} ```solidity function addPrize( string calldata name, string calldata description, uint256 value, uint256 quantity ) external onlyRole(ADMIN_ROLE) { uint256 prizeId = nextPrizeId++; prizeIds.push(prizeId); require(bytes(prizes[prizeId].name).length == 0, "Prize ID already in use"); require(quantity > 0, "Quantity must be greater than 0"); prizes[prizeId] = Prize({ name: name, description: description, value: value, endTimestamp: 0, isActive: true, winner: address(0), // deprecated winnerIndex: 0, // deprecated claimed: false, // deprecated quantity: quantity }); emit PrizeAdded(prizeId, name); } ``` This function should implement a check that ensures admin doesn't mistakenly set the prize to some large value that the contract cannot afford to offer. ### Impact Details Mistakenly or intentionally setting the prize to a value that the contract cannot afford to offer would result in the contract failing to deliver the promised payout: when a user tries to claim the prize, the transaction would revert due to insufficient funds. This effectively prevents users from receiving their winnings. ### References ## Proof of Concept {% stepper %} {% step %} ### Step The admin sets a prize to a value that the contract cannot afford to offer (example: $10m). This could be malicious or accidental. {% endstep %} {% step %} ### Step A user places a bet and wins the (overstated) $10m prize. {% endstep %} {% step %} ### Step The user attempts to claim the prize, but the claim transaction reverts due to insufficient contract funds. {% endstep %} {% step %} ### Step The user is unable to receive the prize—effectively scammed by the contract's inability to pay the declared prize. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/plume-or-attackathon/50949-sc-insight-no-check-if-raffle-actually-has-enough-funds.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.