First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Contract allows players to be refunded using the refund function. However, it does not handle cases where a player has already been refunded or is not an active player

0xVinylDavyl

Summary

The contract allows players to be refunded using the refund function. However, it does not handle cases where a player has already been refunded or is not an active player, potentially leading to undesired behavior.

Vulnerability Details

In the contract, the refund function allows players to request a refund. However, it does not check whether a player has already been refunded or whether the player is an active participant in the raffle. This could lead to unnecessary gas consumption and potentially undesirable outcomes if players who have already received refunds continue to call the function.

Impact

The lack of handling refunds for inactive players or players who have already been refunded may lead to additional gas consumption, confusion among users, and potentially undesirable contract behavior.

Tools Used

Manual

Recommendations

To address this vulnerability, it is recommended to implement logic in the refund function that checks whether a player has already been refunded and whether they are an active participant.

Checks to verify that the player has not been refunded already and is an active participant before proceeding with the refund is being added. Additionally, marked the player as refunded to prevent double refunds. This improved logic ensures that refunds are handled more effectively and reduces the potential for gas waste and confusion among users.

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

// Ensure the player has not been refunded and is an active participant

require(!hasBeenRefunded(playerAddress), "PuppyRaffle: Player has already been refunded");

// Perform the refund

payable(msg.sender).sendValue(entranceFee);

// Mark the player as refunded

markAsRefunded(playerIndex);

emit RaffleRefunded(playerAddress);

}

Updates

Lead Judging Commences

patrickalphac Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.