Submission Details
Severity:
Enter into Raffle after Raffle has been over.
Summary
Raffle is lack of its standards. Anyone can enter into the raffle even it has been over.
Vulnerability Details
enterRaffle
function enterRaffle(address[] memory newPlayers) public payable {
// missing a `raffle over check` here 👈
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}
Impact
Players can try to ab*se raffle by increasing their involvement into raffle. They (Bots or somehow humans) can try to hack randomness using probability (51/100), (90/100), etc.
It should a be fare raffle(lottery).
It would not be fare with those (players) who expect nobody will be able to enter into raffle after it overs and have hope they will win among certain number of people.
Tools Used
Manual review
Recommendations
enterRaffle fixed
function enterRaffle(address[] memory newPlayers) public payable {
require(block.timestamp < raffleStartTime + raffleDuration, "PuppyRaffle: Raffle has over"); // here 👈 i added this check.
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}
Updates
Lead Judging Commences
Hamiltonite about 2 years ago
Submission Judgement Published Reason: User experience and design improvement
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.