Submission Details
Severity:
PuppyRaffle::getActivePlayerIndex() returns 0 on non existing player
Summary
PuppyRaffle::getActivePlayerIndex(address) returns 0 on non existing player. Since there's a player on zero Index, it might confuse the player who is actually in the zero index.
Vulnerability Details
No difference if a input for
getActivePlayerIndex(address)is player at zero address and non existing player.Revert if player is non-exists.
Impact
Severity : low
likelihood : high
Tools Used
manual verification
Recommendations
function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
- return 0;
}
function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
+ revert("player doesnt exist");
}
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
getActivePlayerIndex can say a player is both entered at slot 0 and inactive
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.