search
Active Boosts

50949 sc insight no check if raffle actually has enough funds

Submitted on Jul 29th 2025 at 22:19:06 UTC by @PotEater for Attackathon | Plume Networkarrow-up-right

  • Report ID: #50949

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Raffle.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

In the Raffle.sol contract, in the function addPrize, there is no check that the raffle actually has enough funds to cover the prize.

hashtag
Vulnerability Details

The function addPrize is used to add a new prize to the raffle system. However, there is no check that the contract actually has enough to cover the prize and can afford to offer such a prize.

Code snippet:

Raffle.sol (excerpt)
    function addPrize(
        string calldata name,
        string calldata description,
        uint256 value,
        uint256 quantity
    ) external onlyRole(ADMIN_ROLE) {
        uint256 prizeId = nextPrizeId++;
        prizeIds.push(prizeId);

        require(bytes(prizes[prizeId].name).length == 0, "Prize ID already in use");
        require(quantity > 0, "Quantity must be greater than 0");

        prizes[prizeId] = Prize({ 
            name: name,
            description: description,
            value: value,
            endTimestamp: 0,
            isActive: true,
            winner: address(0), // deprecated
            winnerIndex: 0, // deprecated
            claimed: false, // deprecated
            quantity: quantity
        });

        emit PrizeAdded(prizeId, name);
    }

This function should implement a check that ensures admin doesn't mistakenly set the prize to some large value that the contract cannot afford to offer.

hashtag
Impact Details

Mistakenly or intentionally setting the prize to a value that the contract cannot afford to offer would result in the contract failing to deliver the promised payout: when a user tries to claim the prize, the transaction would revert due to insufficient funds. This effectively prevents users from receiving their winnings.

hashtag
References

https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/spin/Raffle.sol#L128

hashtag
Proof of Concept

1

hashtag
Step

The admin sets a prize to a value that the contract cannot afford to offer (example: $10m). This could be malicious or accidental.

2

hashtag
Step

A user places a bet and wins the (overstated) $10m prize.

3

hashtag
Step

The user attempts to claim the prize, but the claim transaction reverts due to insufficient contract funds.

4

hashtag
Step

The user is unable to receive the prize—effectively scammed by the contract's inability to pay the declared prize.

Previous49705 sc medium two vectors for unbounded gas consumption due to the normal raffle operationsNext51455 sc low inflated earned ui rewards when validator stake is zero due to missing totalstaked guard in view logic

Was this helpful?