possible Invalid Array length in selectWinner() function
Summary
Invalid array length when users got refunded during the duration of the game.
Vulnerability Details
The refund() function only sets the index of the user refunded back to address 0 but still retains the length of the array
Impact
Invalid total amount collected: Calculating the total amount collected with an invalid length can lead to an invalid amount. This is because the total amount collected is calculated by multiplying the number of the length players by the price of the raffle ticket. If the number of active players is less than the length of the array, then the total amount collected will be overstated. This could lead to problems such as users being able to claim more money than they are entitled to.
Tools Used
manual review:
Recommendations
The refund() function should be modified to set the index of the user refunded to address 0 and to decrement the length of the array. This will ensure that the selectWinner() function always uses the correct number of active players to determine the winning index. Additionally, the total amount collected should be calculated using the number of active players, not the length of the array.
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.