dany.armstrong90 - Lack of support on custodial wallets or smart contract wallet

[sherlock-admin4]

dany.armstrong90

Medium

Lack of support on custodial wallets or smart contract wallet

Summary

Custodial wallet or smart contract wallet has different addresses in ethereum and avalanche network. The protocol uses ethereum and avalanche network and transfers winner's address from avalanche to ethereum network. Therefore, the winners who uses such wallets which have different addresses in ethereum and avalanche network can't claim prize.

Vulnerability Detail

The winner of a raffle is determined by WinnablesTicketManager in avalanche network. The winner's address will be transferred to the WinnablesPrizeManager in ethereum network through CCIP. The winner should claim prize in ethereum network. If the winner uses a wallet such as custodial wallet or smart contract wallet, the winner's wallet address may be different in ethereum and avalanche network. Therefore, the winner can't claim his prize from WinnablesPrizeManager contract because WinnablesPrizeManager will compare msg.sender with different address which was transferred from WinnablesTicketManager in avalanche network.

Impact

The winner who uses wallet which have different addresses in ethereum and avalanche network such as custodial wallet or smart contract wallet can't claim his prize after raffle finishes.

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesTicketManager.sol#L334-L344 https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesPrizeManager.sol#L105-L124

Tool used

Manual Review

Recommendation

Add supports on wallets which have different addresses in ethereum and avalanche network such as custodial wallet or smart contract wallet.

[WangSecurity]

This issue will be validated with medium severity and duplicated with #122. For more info, refer to this comment.