First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unrestricted `entranceFee` Setting in Constructor

nisedo

Vulnerability Details

The PuppyRaffle contract's constructor allows the entranceFee to be set without any bounds. This means the entranceFee can be set to any value, including 0 or its maximum possible value (type(uint256).max). Such unrestricted setting can lead to operational issues or be exploited for malicious purposes.

constructor(uint256 _entranceFee, address _feeAddress, uint256 _raffleDuration) ERC721("Puppy Raffle", "PR") {
entranceFee = _entranceFee;
// ...
}

Impact

  • Operational Issues: Setting the entranceFee to 0 could lead to spamming of the raffle with non-serious participants and allows for DoS attack by getting the players arrays very big. Conversely, setting it too high could deter participation altogether.

  • Potential for Abuse: An excessively high or low entranceFee could be used to manipulate the raffle or create unfavorable conditions for participants.

Recommendations

  • Implement Bounds Checking: Enforce logical bounds for the entranceFee in the constructor. For example, set a minimum and maximum allowable fee that makes sense in the context of the raffle.

  • Administrative Controls: Allow the owner or administrator of the contract to adjust the entranceFee within specified limits, post-deployment, to adapt to changing conditions or correct initial settings.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!