Reentrancy Attack while calling `claimPrize()`

Summary

Reentrancy Attack while calling claimPrize()

Vulnerability Detail

Malicious user can claim all locked ETH of user's through claimPrize()

As no CEI effect is followed during claimPrize() and state gets updated after the ETH gets transferred which leads to malicious user can do reentrancy attack and steal user's fund.

unchecked { _ethLocked -= _ethRaffles[raffleId]; }
        _sendETHPrize(_ethRaffles[raffleId], msg.sender);
    } else revert InvalidRaffle();
    if (msg.sender != rafflePrize.winner) revert UnauthorizedToClaim();
    if (rafflePrize.status == RafflePrizeStatus.CLAIMED) revert AlreadyClaimed();
    rafflePrize.status = RafflePrizeStatus.CLAIMED;

So a malicious user can claim all of the Locked Eth inside the contract.

Impact

malicious user would steal all of the Locked Eth inside the contract.
Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesPrizeManager.sol#L105

Tool used

Manual Review

sherlock-audit / 2024-08-winnables-raffles-judging

smbv-1923 - Reentrancy Attack while calling `claimPrize()` #552

Reentrancy Attack while calling `claimPrize()`

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

sherlock-audit / 2024-08-winnables-raffles-judging

smbv-1923 - Reentrancy Attack while calling `claimPrize()` #552

Reentrancy Attack while calling claimPrize()

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Reentrancy Attack while calling `claimPrize()`