Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Valid

Address(0) can enter Raffle, can lead to locked funds

Summary

Invalid addresses can enter the lottery, if they end up winning no ERC721 can be minted and the funds will be locked in the contract.

Vulnerability Details

There is no check for Address(0) in the PuppuRaffle::enterRaffle function. Therefor invalid addressen can participate. If they end up winning the lottery; PuppyRaffle::selectWinnner() will revert and the winnings will be locked inside the contract.

Impact

Loss of funds.

Tools Used

Foundry

Recommendations

function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
+ require(newPlayers[i] != address(0), "PuppyRaffle: Player cannot be address(0)");
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.