First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Zero raffle fee allows free raffle entries to be made at will

0xswahili

Summary

The constructor function does not check that the entrance fee is more than zero. This allows contestants to enter the raffle for FREE. The effect is that winners who enter for free stand to win after risking nothing. It can

Vulnerability Details

The constructor function does not check that the entrance fee is more than zero. This allows contestants to enter the raffle for FREE.

POC

Run this test:

function testCanEnterRaffleZeroFee() public {
puppyRaffle = new PuppyRaffle(
0,
feeAddress,
duration
);
address[] memory players = new address[](1);
players[0] = playerOne;
puppyRaffle.enterRaffle(players);
assertEq(puppyRaffle.players(0), playerOne);
}

And run it as:

forge test --match-path test/PuppyRaffleTest.t.sol --match-contract PuppyRaffleTest --match-test "testCanEnterRaffleZeroFee"

Test results:

Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest
[PASS] testCanEnterRaffleZeroFee() (gas: 3325946)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 90.52ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

  1. Winners who enter for free stand to win the price NFT after staking NOTHING.

  2. The feeReceipient will receive no fee when selectWinner + withdrawFee is called since the contract's Ether balance will be zero.

Tools Used

Manual review

Recommendations

The constructor function should check that the entrance fee is more than zero

require(_entranceFee > 0 , "Entrance Fee should be more than zero.");
Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!