First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

You should validate that players are putting addresses into their address array in enterRaffle

happyformerlawyer

Summary

A player can submit an array of whatever they want to enterRaffle.

Vulnerability Details

There is no input validation in enterRaffle:

function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}

Impact

This makes it very simple for people to submit a really long array of invalid entries and waste a lot of gas with all the loops in this function.

Also, generally, you create smart contract risks when people are allowed to submit unexpected inputs - it is better to prevent them from doing so in the first place.

Tools Used

Manual review

Recommendations

There are multiple ways you could address this. You could use the isAddress check from web3. Or you could just check that at least the input for each item in the array is 20 bytes - people could still submit fake 20 bytes data then but at least they would have to try harder to do it compared to submitting an array of 0, 1, 2, etc.

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

denial-of-service-in-enter-raffle

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.