Submission Details
Severity:
Address(0) can enter Raffle, can lead to locked funds
Summary
Invalid addresses can enter the lottery, if they end up winning no ERC721 can be minted and the funds will be locked in the contract.
Vulnerability Details
There is no check for Address(0) in the PuppuRaffle::enterRaffle function. Therefor invalid addressen can participate. If they end up winning the lottery; PuppyRaffle::selectWinnner() will revert and the winnings will be locked inside the contract.
Impact
Loss of funds.
Tools Used
Foundry
Recommendations
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
+ require(newPlayers[i] != address(0), "PuppyRaffle: Player cannot be address(0)");
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}
Updates
Lead Judging Commences
Hamiltonite over 1 year ago
Submission Judgement Published Assigned finding tags:
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.