sherlock-audit / 2024-08-winnables-raffles-judging

6 stars 2 forks source link

ogKapten - Unauthorized Actors Will Permanently Lock the Raffle Prize for the Raffle Creator #548

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

ogKapten

High

Unauthorized Actors Will Permanently Lock the Raffle Prize for the Raffle Creator

Summary

The missing access control on the cancelRaffle function in WinnablesTicketManager will cause a potential loss of funds for the raffle creator (admin) as an unauthorized actor can call this function and provide an incorrect prizeManager address, causing the raffle prize to be permanently locked in the WinnablesPrizeManager contract.

Root Cause

In WinnablesTicketManager::278 cancelRaffle function lacks access control and no input validation, allowing any external account to invoke the function.

Internal pre-conditions

  1. Any external account needs to call cancelRaffle() with a chosen prizeManager address.

External pre-conditions

The provided prizeManager address is not actual WinnablesPrizeManager makes the lockedPrize for that Raffles permanantly locked inside the contract.

Attack Path

  1. An unauthorized actor calls the cancelRaffle() function and sets an incorrect prizeManager address.
  2. The raffle status is updated to CANCELED.
  3. The message is sent using _sendCCIPMessage() but is never received due to the incorrect address.
  4. The raffle creator (admin) is unable to withdraw the prize, causing it to remain permanently locked in the contract.

Impact

The raffle creator (admin) suffers a loss of the prize for the raffle. The attacker doesn't directly gain anything but causes a denial of service by locking the prize permanently.

PoC

No response

Mitigation

Implement proper access control by restricting the cancelRaffle function to only be callable by the raffle creator (admin) or a trusted role.

Duplicate of #57