Unauthorized Actors Will Permanently Lock the Raffle Prize for the Raffle Creator
Summary
The missing access control on the cancelRaffle function in WinnablesTicketManager will cause a potential loss of funds for the raffle creator (admin) as an unauthorized actor can call this function and provide an incorrect prizeManager address, causing the raffle prize to be permanently locked in the WinnablesPrizeManager contract.
Root Cause
In WinnablesTicketManager::278 cancelRaffle function lacks access control and no input validation, allowing any external account to invoke the function.
Internal pre-conditions
Any external account needs to call cancelRaffle() with a chosen prizeManager address.
External pre-conditions
The provided prizeManager address is not actual WinnablesPrizeManager makes the lockedPrize for that Raffles permanantly locked inside the contract.
Attack Path
An unauthorized actor calls the cancelRaffle() function and sets an incorrect prizeManager address.
The raffle status is updated to CANCELED.
The message is sent using _sendCCIPMessage() but is never received due to the incorrect address.
The raffle creator (admin) is unable to withdraw the prize, causing it to remain permanently locked in the contract.
Impact
The raffle creator (admin) suffers a loss of the prize for the raffle. The attacker doesn't directly gain anything but causes a denial of service by locking the prize permanently.
PoC
No response
Mitigation
Implement proper access control by restricting the cancelRaffle function to only be callable by the raffle creator (admin) or a trusted role.
ogKapten
High
Unauthorized Actors Will Permanently Lock the Raffle Prize for the Raffle Creator
Summary
The missing access control on the
cancelRaffle
function inWinnablesTicketManager
will cause a potential loss of funds for the raffle creator (admin) as an unauthorized actor can call this function and provide an incorrect prizeManager address, causing the raffle prize to be permanently locked in theWinnablesPrizeManager
contract.Root Cause
In
WinnablesTicketManager::278
cancelRaffle function lacks access control and no input validation, allowing any external account to invoke the function.Internal pre-conditions
cancelRaffle()
with a chosen prizeManager address.External pre-conditions
The provided prizeManager address is not actual
WinnablesPrizeManager
makes the lockedPrize for that Raffles permanantly locked inside the contract.Attack Path
cancelRaffle()
function and sets an incorrect prizeManager address._sendCCIPMessage()
but is never received due to the incorrect address.Impact
The raffle creator (admin) suffers a loss of the prize for the raffle. The attacker doesn't directly gain anything but causes a denial of service by locking the prize permanently.
PoC
No response
Mitigation
Implement proper access control by restricting the cancelRaffle function to only be callable by the raffle creator (admin) or a trusted role.
Duplicate of #57