First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Possible Reetrancy and Gas Issues in Duplicate Check of enterRaffle() Function

yeahchibyke

Summary

Inefficient duplicate check in enterRaffle() function

Vulnerability Details

In the current implementation, checks are done after addresses are added to the players array.

Impact

This could lead to unnecessary gas costs, as the function iterates over the entire players array for each address in the newPlayers array. If for instance, a user calls the enterRaffle() function and passes an array of 100 addresses, the enterRaffle() function adds each address to the players array and checks for duplicates. This results in the function iterating over the players array 100 times, which is highly inefficient and could consume a lot of gas.
Also, because of CEI (Check Events Interactions) failure, this could lead to possible reentrancy attacks. A function could be created that calls this particular function, and then manipulated for malicious purposes.

Tools Used

Foundry, Remix, PhindAI

Recommendations

Modify the enterRaffle() function to check for duplicates before adding the addresses to the players array. This is done by iterating over the players array for each address in the newPlayers array and checking if the address already exists in the players array. If a duplicate is found, the function emits a RaffleEnter event and does not add the address to the players array. This is more efficient than checking for duplicates after they have been added to the array.

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

require(newPlayers[i] != address(0), "PuppyRaffle: Invalid player address");

bool isDuplicate = false;

for (uint256 j = 0; j < players.length; j++) {

if (players[j] == newPlayers[i]) {

isDuplicate = true;

break;

}

if (!isDuplicate) {

players.push(newPlayers[i]);

} else {

emit RaffleEnter(newPlayers);

}

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Vague generalities

Assigned finding tags:

denial-of-service-in-enter-raffle

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!