First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Fee Address can enter raffle, which may lead to team fooling players and getting all the puppies and fees

WangSecurity

Summary

Fee Address can enter the raffle, which may lead to the it winning the raffle, getting all the fees (not 20%) and nft.

Vulnerability Details

function etnerRaffle(); doesn't check if any of the addresses are a fee address or not, which may result in the problem mentioned in Summary. All the funds are indirectly at risk, because the process of selecting a winner is still random, but it still can be feeAddress, and the team may select a lower duration, so there are less players, thus higher chance of feeAddress winning
here is the test:
function testCanEnterRaffle() public {
address[] memory players = new address;
players[0] = feeAddress;
puppyRaffle.enterRaffle{value: entranceFee}(players);
assertEq(puppyRaffle.players(0), feeAddress);
}

Impact

impact is medium, because the funds are indirectly at risk. The protocol cannot drain it all the way, but they still can get all the money from raffles

Tools Used

Foundry

Recommendations

In function enterRaffle, in for-loop of pushing address to players array, add a check for feeAddress:

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

require(newPlayers[i] != feeAddress, "PuppyRaffle: Fee Address cannot enter raffle");

players.push(newPlayers[i]);

}

// Check for duplicates

for (uint256 i = 0; i < players.length - 1; i++) {

for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j], "PuppyRaffle: Duplicate player");

}

emit RaffleEnter(newPlayers);

}

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.