Flaw in Refund Logic and Potential Selection of 0 Address as Winner
Vulnerability Details
The refund function sets the address of a player who has requested a refund to the zero address (0x0) instead of removing it from the players array. This poses a risk in the selectWinner function, which could mistakenly select the zero address as a winner.
In the selectWinner function, the winner is randomly selected from the players array, which could include these zero addresses:
Impact
Potential Loss of Prize Pool: If a zero address is selected as a winner, the prize pool is sent to an inaccessible address, resulting in a loss of funds.
Reduced Trust in Raffle Integrity: The possibility of a non-participant (zero address) winning can undermine the integrity and fairness of the raffle.
Inefficient Use of Resources: Maintaining zero addresses in the
playersarray leads to wastage of storage space and unnecessary processing during winner selection.
Recommendations
Remove Refunded Players from Array: Instead of setting a player's address to zero, remove the player from the
playersarray upon a successful refund.Implement Checks in Winner Selection: Add additional checks in the
selectWinnerfunction to ensure that the selected winner is not a zero address. If a zero address is selected, the function should repeat the selection process or skip to the next valid address.
Lead Judging Commences
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.