First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Refund() function allows Users to populate players array with 0 addresses that can cause loss of funds.

sandman

Summary

The PuppyRaffle contract has a high-severity vulnerability in the refund function. This vulnerability could allow malicious players to manipulate the players array, potentially affecting the winner selection process and leading to a loss of funds.

Vulnerability Details

function refund(uint256 playerIndex) public {
// Rest of code
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}

In the refund function, the players[] array is populated with zero addresses every time an user refunds. The selectWinner() function selects winner from the index of players. This could lead to transferring to the 0 address thus loss of funds.

Impact

Severity: High (Loss of funds)

Likelihood: High (The likelihood increases as the number of users refunding increases)

Tools Used

VS Code

Recommendations

  1. Populate the players array in different way such that all the addresses are valid players' addresses:

function refund(uint256 playerIndex) public {
//
players[playerIndex]=players[players.length-1];
players.pop();
emit RaffleRefunded(playerAddress);
}

  1. Check for zero address before transferring (from selectWinner()).

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!