Contract is easily sybil-attacked
Summary
Within PuppyRaffle.sol, there is a check that at least 4 players must enter the raffle before the winner can be drawn. While the aim of this check is not described fully, there is nothing preventing one person using 4 separate wallets to enter and overcome this check.
Vulnerability Details
One person can use 4 wallets to enter the raffle separately, ensuring they win or at least greatly increasing their chances.
Impact
This issue doesn't result in loss of funds, etc., but given that the goal of the check is unknown, I believe its worth noting and considering what the aims of this check are, and if the aims are reflected in the implementation given the simplicity of the attack.
Tools Used
none
Recommendations
Sybil attacks are a complex issue without easy solutions. That being said, there are some ways that they can be reduced, perhaps by issuing tokens that can be redeemed separately for the NFT after a set amount of time, which would allow on-chain research to be done to look for signs of sybil attacks (common sources of funding, etc.). There are also third-party solutions that essentially vouch for identities (Gitcoin passport, etc.)
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.