First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of `Input Validation` in enterRaffle function can result in loss of user fund.

azmaeengh

Summary

Inside the enterRaffle function, the first for-loop (that adds new players to the players array) is not making sure that no Zero address are included in the players array. This way even though the zero address can be added to the players array, it will cause issue later when refunding to that address.

Vulnerability Details

If any of the newPlayers addresses is the zero address, it could potentially cause issues. This is because the zero address is not a valid Ethereum address that can receive Ether or interact with contracts.

For example, if a user tries to enter the raffle with the zero address, they would be added to the players array. However, they would never be able to refund their entrance fee (if they were allowed to), because the zero address cannot receive Ether.

Moreover, the getActivePlayerIndex function:

function getActivePlayerIndex(address player) external view returns (uint256) {

for (uint256 i = 0; i < players.length; i++) {

if (players[i] == player) {

return i;

}

return 0;

}

If a user tries to get the index of the zero address, the function would return 0, which could be misleading because 0 is also a valid index in the players array.

Therefore, it's a good practice to validate the input addresses and ensure they are not the zero address before processing them. This can prevent potential issues and errors in your contract.

Impact

Bad user experience and potential loss of funds.

Tools Used

Recommendations

To address the potential vulnerability of accepting the zero address as a valid player, you can add a check in the enterRaffle function to ensure that none of the input addresses is the zero address.
This can simply be done inside the for-loop that adds newPlayers to the players array.

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

+ require(newPlayers[i] != address(0), "PuppyRaffle: Zero address is not a valid player");

players.push(newPlayers[i]);

}

// rest of the code

}

This modification will cause the function to revert if any of the input addresses is the zero address, preventing it from being added to the players array. This can help prevent potential issues and errors in your contract.

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: User input validation

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.