First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Possible DoS Attack In refund() Function

yeahchibyke

Summary

Possible DoS attack in refund() function due to no check for zero address

Vulnerability Details

The refund() function does not check if the player's address is the zero address, which is a valid Ethereum address.

Impact

If the function is called with the zero address, it will attempt to send the entrance fee to the zero address, which is not possible because the zero address does not have a balance. This will cause the function to fail and consume all the gas available for the transaction.

Tools Used

Foundry, Remix, PhindAI

Recommendations

The refund() function should check if the player's address is the zero address before attempting to send the entrance fee. This can be done using the require statement with the condition;

playerAddress != address(0)

This check ensures that the function does not proceed if the player's address is the zero address.

I modified the refund() function with this check

function refund(uint256 playerIndex) public {
address playerAddress = players[playerIndex];
require(playerAddress != address(0), "PuppyRaffle: Invalid player address");
require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
payable(msg.sender).sendValue(entranceFee);
players[playerIndex] = address(0);
emit RaffleRefunded(playerAddress);
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!