First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing zero address check causes exploit

TheCodingCanuck

Summary

Users can enter the 0 address in the Raffle to manipulate winning probabilities.

Vulnerability Details

While it is stated in the CodeHawks documentation that "Zero address checks" are not valid findings, in this case a use can use this to increase his chance or winning.

The function that selects a winner and mints the NFT selectWinner requires that at least 4 addresses are registered in the Raffle. One can register the 0 address which will count as one of the 4 minimum entries.

If the 0 address is selected as winner, the minting will fail due to the ERC721 spec. In this case a user can call selectWinner until another address.

Impact

A user can register the 0 address to increase his chance of winning. For example, if there are 4 participants including the 0 address, the effective probability for a certain address to win will be 1/3 instead of 1/4.

Tools Used

Manual review

Recommendations

Add a 0 address validation in enterRaffle.

Example
for (uint256 i = 0; i < newPlayers.length; i++) {
require(newPlayers[i] != address(0), "PuppyRaffle: Zero address can't enter raffle");
players.push(newPlayers[i]);
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Zero address checks

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!