two seperate players being refunded will break enterRaffle function, susceptible to both error and exploit.
Summary
if two separate players are refunded, it will prevent any new players from entering the raffle.
This can occur accidentally or be exploited by a malicious actor.
Vulnerability Details
When a player is refunded, their address in the players array is set to the zero address rather than deleted. However, in the enterRaffle function's nested for loop, the condition 'players[i] != players[j]' will evaluate to true for both of the deleted 'zero' addresses, and thus cause the call to revert for any new entry attempts.
Impact
This can easily occur accidentally if two players happen to refund their tickets.
An attacker can also exploit this vulnerability to DOS the raffle and also effectively ensure they win with minimal cost.
For example, they can:
-generate multiple addresses and monitor for when the next raffle starts, and in one bundle right when it starts they can:
-enter the raffle with these addresses( does not even have to be that many as opposed to the other DOS vector).
call refund on two of those addresses, locking any new players from entering the raffle.
this will ensure with a high probability that they will win the raffle.
Recommendations
-to delete an index from an array such that this error will not occur one can use the swap and pop method, where the desired item to remove is switched with the last item of the array, and then then calling pop() on the array to delete the last item.
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.