Attacker can block the winner from claiming the prize
Summary
After a raffle concludes and a winner is selected, any user can call the propagateRaffleWinner function to send the winner's details to the prize manager, enabling the winner to claim the prize using the claimPrize function. However, an issue arises because the propagateRaffleWinner function does not validate the user-provided data. This allows an attacker to send a CCIP message to any contract, changing the raffle's status to PROPAGATED. If the winner's information does not reach the prize manager, they will be unable to claim the prize, and the altered raffle status will prevent the propagateRaffleWinner function from being called again.
Root Cause
The lack of validation for parameters passed to the propagateRaffleWinner function (prizeManager, chainSelector).
Internal pre-conditions
The raffle winner is selected.
The raffle has a FULFILLED status (the VRF returns a random number).
External pre-conditions
No response
Attack Path
The attacker monitors the status change of the raffle on Avalanche, either by observing the mempool or listening for the WinnerDrawn event.
Upon status change, the attacker calls the propagateRaffleWinner function with parameters that allow the transaction to succeed but without sending the message to the PrizeManager.
Impact
The protocol incurs a loss due to CCIP transmission fees in WinnablesTicketManager caused by the attacker.
Since the winner's information never reaches the prize manager, they will be unable to claim their prize using the claimPrize function.
PoC
No response
Mitigation
If the propagateRaffleWinner function is intended to be available to everyone, the data provided by the user should be validated, allowing only the appropriate prizeManager and chainSelector.
A good solution could be to set these parameters (since they are immutable for the chain) beforehand so that they don't need to be provided as function arguments.
The final solution should align with the application's design decisions.
PNS
High
Attacker can block the winner from claiming the prize
Summary
After a raffle concludes and a winner is selected, any user can call the
propagateRaffleWinner
function to send the winner's details to the prize manager, enabling the winner to claim the prize using theclaimPrize
function. However, an issue arises because thepropagateRaffleWinner
function does not validate the user-provided data. This allows an attacker to send a CCIP message to any contract, changing the raffle's status toPROPAGATED
. If the winner's information does not reach the prize manager, they will be unable to claim the prize, and the altered raffle status will prevent thepropagateRaffleWinner
function from being called again.Root Cause
The lack of validation for parameters passed to the propagateRaffleWinner function (
prizeManager
,chainSelector
).Internal pre-conditions
FULFILLED
status (the VRF returns a random number).External pre-conditions
No response
Attack Path
WinnerDrawn
event.propagateRaffleWinner
function with parameters that allow the transaction to succeed but without sending the message to thePrizeManager
.Impact
WinnablesTicketManager
caused by the attacker.claimPrize
function.PoC
No response
Mitigation
If the
propagateRaffleWinner
function is intended to be available to everyone, the data provided by the user should be validated, allowing only the appropriateprizeManager
andchainSelector
.A good solution could be to set these parameters (since they are immutable for the chain) beforehand so that they don't need to be provided as function arguments.
The final solution should align with the application's design decisions.
Duplicate of #50