First Flight #2: Puppy Raffle

Summary

The refund function contains an incorrect method for removing a player when a refund is initiated. The line "players[playerIndex] = address(0);" is used to set the player's address to address(0), but this approach is incorrect.

Vulnerability Details

The refund function is designed to allow a player to receive a refund of their entrance fee. However, it incorrectly attempts to remove the player by assigning the player's address to address(0) without actually reducing the number of players in the array. The number of players in the array is involved in the calculations of the values ​​of many variables and some functions.

Impact

Loss of Funds: If the winner is assigned address(0), it may lead to a loss of funds during prize distribution.
Incorrect Calculations: The incorrect removal of players can result in erroneous calculations of total amounts, prize pools, fees etc or exceeding contract balance.
Misinformation: This could lead to misinformation and incorrect player status reporting in "getActivePlayerIndex" function.

Tools Used

Manual review.

Recommendations

To address this issue and correctly remove the player from the players array, you should use the delete keyword, as follows:

delete players[playerIndex];

Here's the corrected refund function:

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

payable(msg.sender).sendValue(entranceFee);

delete players[playerIndex];
emit RaffleRefunded(playerAddress);

}