First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

getActivePlayerIndex should not return 0 if the caller is not in the array because there may be a different player at index 0

happyformerlawyer

Summary

getActivePlayerIndex should not return 0 if the caller is not in the players array because there may be a different player at players[0].

Vulnerability Details

function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
return 0;
}

Impact

You may confuse players about whether they have an entry. Since neither the refund function or any other function calls getActivePlayerIndex, it won't allow a malicious user to do anything malicious luckily.

Tools Used

Manual review

Recommendations

Instead have the function revert if msg.sender is not in the players array. First add a function checkAddressInArray:

function checkAddressInArray() public pure returns (bool) {
for (uint i = 0; i < players.length; i++) {
if (players[i] == msg.sender) {
return true;
}
}
return false;
}

Then revise getActivePlayerIndex so it reverts if the person calling it is not in the array of players:

function getActivePlayerIndex(address player) external view returns (uint256) {
if(checkAddressInArray() == false) {
revert PuppyRaffle__NotInPlayersArray()}
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

getActivePlayerIndex can say a player is both entered at slot 0 and inactive

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.