Claimed raffle can still be cancelled and Vice-Versa

Summary

In the WinnablesPrizeManager.sol::claimPrize and the WinnablesPrizeManager.sol::_cancelRaffle functions, there is no synchronization to ensure a cancelled raffle cannot be claimed and vice versa.

Vulnerability Detail

The WInnablesPrizeManager is the holder of the prizes of all raffles, in the _cancelRaffle function, there is only a check for the status of the raffle is cancelled if (_rafflePrize[raffleId].status == RafflePrizeStatus.CANCELED) revert InvalidRaffle(); so if the _rafflePrize[raffleId].status holds any other state aside RafflePrizeStatus.CANCELED, it'll pass.

IN the claimPrize, there is no check for _rafflePrize[raffleId].status == RafflePrizeStatus.CANCELED, meaning a winner of a pending or already cancelled raffle can still claim the prize.

Impact

Loss of funds, as cancel prize reduces prizes left and claim does same thing, cause accounting issues and loss of funds

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesPrizeManager.sol#L105

Tool used

Manual Review

sherlock-audit / 2024-08-winnables-raffles-judging

John_Femi - Claimed raffle can still be cancelled and Vice-Versa #612