process for checking for duplicate addresses in enterRaffle results not being able to enter the raffle
Summary
The process for checking for duplicate addresses in enterRaffle results not being able to enter the raffle.
Vulnerability Details
The looping which takes place in enterRaffle to check for duplicates exposes the protocol to DoS attacks, in which a large number of entrants are entered, which would render other potential entrants from being able to enter the raffle due to the looping causing the subsequent call to enter the raffle to exceed gas limit.
Supporting PoC:
contract used to attack and cause DoS
javascript test used to execute the attack
screenshot showing the failure of attempted entry after attack
Impact
High - the likelihood and impact are both high. A DoS attack would cause a scenario in which additional entrants could not enter the raffle.
Tools Used
VS Code
Hardhat
Recommendations
Instead of using an array to store players entered into the raffle, use a mapping. This would be capable of enforcing that a specific address was only entered once without resorting to looping through a potentially large number of entrants.
Lead Judging Commences
denial-of-service-in-enter-raffle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.