First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Return Value in getActivePlayerIndex Function Leads to Potential Revert and Unintended Behavior

n0kto

Summary

There is a vulnerability in the function getActivePlayerIndex(address player). This vulnerability stems from an incorrect return value when a player is not found in the players array.

Vulnerability Details

The vulnerability can be found at the last line in the following code snippet:

function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
return 0;
}

When the specified player is not found in the players array, the function returns a value of 0. This implies that the player is located at the first position of the array, potentially leading to undesired behavior and unintended consequences.

Impact

The impact of this vulnerability is significant, as any contract or people utilizing this function may encounter issues. Contracts or people relying on this function to determine the index of a player and perform actions based on that index, such as refunds, will experience transaction reverting.

Tools Used

Manual review.

Recommendations

To address this vulnerability, I recommend updating the code to revert when the specified player is not found in the players array.

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

getActivePlayerIndex can say a player is both entered at slot 0 and inactive

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.