Able to Add Invalid Address to be The Player
Summary
There is no validation for the invalid participants, address-zero (0x0), to be added to the players array in the function enterRaffle.
By including address-zero as a players, It makes the players array to be improper length.
Consequently, the improper players length will affects the totalAmountCollected calculation (L131-133) to be improper as the total amount collected may be overestimated since zero address contributions are not valid
Vulnerability Details
The function enterRaffle allows invalid participants, address-zero (0x0), to be added to the players array without validation. Including address-zero (0x0) in the players array results in an improper array length.
This can lead to data integrity issues and the totalAmountCollected calculation errors within the contract.
Impact
This issue affects data integrity by including invalid participants.
It also leads to an overestimation of the total amount collected, totalAmountCollected due to the inclusion of zero addresses.
Tools Used
VS Code: Manual
Recommendations
Implement address validation in enterRaffle to prevent zero addresses.
here: https://gist.github.com/filmptz/726d28d517a356da4778bbc16a49cc50#file-puppyraffle-sol-enterraffle
Lead Judging Commences
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.