Loss of Funds Due to Invalid Winner's Address in PuppyRaffle Contract
Summary
The selectWinner function in the provided code is vulnerable to a loss of funds if the randomly selected winner's address has been replaced with address(0) due to a refund.
Vulnerability Details
The vulnerability arises from the selection of a winner using a randomly generated index from the players array. If one or several players have refunded their entrance fees, their addresses are replaced with address(0) in the array. However, there is no verification if the randomly selected winner's address is valid, which can result in the loss of funds.
Impact
If the randomly selected winner's address is address(0) due to a refund, the prize and the associated non-fungible token (NFT) will be sent to address(0), resulting in a loss of funds. This can occur when one or more players have refunded their entrance fees before the winner is selected.
Tools Used
Manual review.
Recommendations
To mitigate this vulnerability, consider implementing the following measures:
Use the
_isActivePlayerfunction to ensure that the randomly selected winner's address is notaddress(0)before proceeding with the prize distribution.Implement a mechanism to handle situations where the randomly selected winner's address is invalid, such as selecting an alternative winner or redistributing the prize pool.
Lead Judging Commences
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.