F-2024-0006·missing-refund

Locked funds on Raffle contract when sending higher value than the fee on requestRandomNumber

Acknowledgeddexammraffle
TL;DR

requestRandomNumber accepts payment but does not refund excess value above the required fee, so any over-payment is permanently locked in the raffle contract.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description

Description

The requestRandomNumber function in the MonadexV1Raffle contract accepts payment for requesting a random number but does not provide a mechanism to refund excess fees. Users must calculate the exact fee required, and any excess amount sent will be locked in the contract.

03Section · Impact

Impact

  1. Users may lose funds if they send more ETH than the required fee.
  2. Excess funds will accumulate in the contract without a way to retrieve them.
04Section · Recommendation

Recommendation

Implement a refund mechanism for excess fees. Also add a function that allows users to query the current fee.

ZEALYNX SECURITY · published 2024-09-18
F-2024-0006

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx