Ancient Neon Koala
Medium
If the token used in the raffle of ERC20Incentive is paused or locked, the winning address will lose his winning ticket.
The specifications of the protocol state that Protocol should work with all native and ERC20 tokens that adhear to standard including weird tokens. This includes tokens which can be paused (such as BNB).
In drawRaffle, the winning entry is determined at the same time as the transfer being initiated to the winner's address:
function drawRaffle() external override onlyOwner {
if (strategy != Strategy.RAFFLE) revert BoostError.Unauthorized();
LibPRNG.PRNG memory _prng = LibPRNG.PRNG({state: block.prevrandao + block.timestamp});
address winnerAddress = entries[_prng.next() % entries.length];
asset.safeTransfer(winnerAddress, reward);
emit Claimed(winnerAddress, abi.encodePacked(asset, winnerAddress, reward));
}As a result, if the asset was paused or locked at the time that the raffle was drawn, the transaction will revert. By the time the contract is unpaused, the winning entry will again be calculated using a new block.timestamp and block.prevrandao which is not guaranteed to result in the same winning entry.
The winner of the raffle will not be able to claim his winning entry if the contract was paused at the time of drawing the raffle. Since it will be recalculated anew once the raffle is drawn again, his original winning entry is lost and he has to win it again on the new draw.
This results in loss of funds for that user, as he should have received the tokens from his first win, but will no longer be guaranteed to win.
Manual Review
Consider using a push-pull mechanism that allows for lottery winners to claim their winnings separately from when the winning entry is determined.