First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Flawed default value in getActivePlayerIndex

TheCodingCanuck

Summary

The addresses or players that entered the raffle are added to players public array. The function getActivePlayerIndex returns the index of an address. If the address is not in players it returns 0.

This is a flawed logic since arrays are 0-indexed. There is no distinction between the first address in players and any address not in players.

Vulnerability Details

There is no vulnerability since getActivePlayerIndex is not called by any other functions in the contract.

Impact

This will create confusion when trying to know if an address is registered in the raffle or not.

Tools Used

Manual testing

Example test
// Audit non registered players and first player has same index...
function test_auditGetActivePlayerIndexNonRegisteredPlayer() public {
address[] memory players = new address[](2);
players[0] = playerOne;
players[1] = playerTwo;
puppyRaffle.enterRaffle{value: entranceFee * 2}(players);
assertEq(puppyRaffle.getActivePlayerIndex(playerThree), puppyRaffle.getActivePlayerIndex(playerOne));
}

Recommendations

Multiple solutions exist although requires some light refactoring. Creating a mapping from addresses to boolean values to keep track of active players is one.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

getActivePlayerIndex can say a player is both entered at slot 0 and inactive

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!