Refunding twice makes address(0) to be repeated in the 'players' array forever
Summary
After 'refund' function is called twice by players in the raffle, there will be two slots in the 'players' array with the value 'address(0)'. Whenever a player enters the raffle, it will be checked there is no repeated addresses in the 'players' array, causing an error when somebody tries to join the raffle.
Vulnerability Details
Any player could easily lock the game by entering the raffle and refunding their fee twice. This will create two elements in the 'players' array with 'address(0)' value in it, which prevents any other address from entering the raffle until this game ends.
This bug can be exploited to increase the probability of winning the raffle.
Impact
The impact is very high as the raffle gets manipulated for the rest of the time, making the game unfair and undesirable to play.
Tools Used
GitHub repo
Recommendations
enterRaffle function should be modified like this, so that when checking there is no address repeated address(0) will not be taken into account:
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
if(players[i] != address(0){
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
}
emit RaffleEnter(newPlayers);
}
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.