[M-1] ForLoop used in enterRaffle() can cause a DOS attack.
Summary
In enterRaffle(), there is no limit on how many people can join the raffle. This can cause a problem when checking for a duplicate with the nested loops. Imagine if the player array grows so large that when looping it will cause an outOfGas error.
Vulnerability Details
The blockchain has a gas limit for every block it is 30 million in the case of Ethereum. So here in enterRaffle() when cheking for the duplicate using nested for-loop.if the length of the player’s array is too large then the 30m gas will not be sufficient to cover up the looping. In this case, the contract will throw OutOfgas error and cause DOS to the system.
POC
Impact
If the length of the player’s array grows too large then no new players can join the raffle because the loop checking for duplicate will always fail.
Tools Used
Manual review
Recommendations
Mitigation in this case would be to only allow the fixed number of players that can be covered by gas while looping in one raffle duration.
Lead Judging Commences
denial-of-service-in-enter-raffle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.