Submission Details
Severity:
Using nested for loops can cause DOS attack in the function.
Summary
Using nested for loops inside a function can cause DOS attack in the function which may result is the revert of the function due to using too much gas.
Vulnerability Details
##POC
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// @audit-issue : can cause dos.
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}
Test Case
function testCanEnterRaffleMany1() public {
address[] memory players = new address[]((2**256)/2);
for(uint256 i=0;i<(2**256)/2;i++)
{
players[i]=address(i);
}
puppyRaffle.enterRaffle{value: entranceFee * (2**256-1)/2}(players);
for(uint256 i=0;i<(2**256)/2;i++)
{
assertEq(puppyRaffle.players(i), address(i));
}
}
##Result
Failing tests:
Encountered 1 failing test in test/PuppyRaffleTest.t.sol:PuppyRaffleTest
[FAIL. Reason: EvmError: Revert] testCanEnterRaffleMany1() (gas: 267)
Encountered a total of 1 failing tests
Impact
The function can revert.
Tools Used
Foundry
Recommendations
Avoid using nested for loops in the function.
Updates
Lead Judging Commences
Hamiltonite about 2 years ago
Submission Judgement Published Assigned finding tags:
denial-of-service-in-enter-raffle
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.