First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

enterRaffle should confirm that contract addresses aren't being submitted as entries - otherwise if a contract address wins and can't receive NFTs, that NFT will be lost

happyformerlawyer

Summary

Someone could submit an entry of a contract address because there is no check for whether the entry is a contrac.

Vulnerability Details

function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}

Impact

A lottery can be run and a winner that is a contract selected and the NFT may not be received because it is a contract. It isn't the end of the world in this case since there is an unlimited number of mints but if there were a limited number it would be more of a problem. Even with an unlimited number of mints, it is kind of unfair to the other players in the lottery because you promised an NFT to someone and no one ended up getting one. And you can't fix it since the players array reset.

Tools Used

Manual review

Recommendations

Import Address.sol from OpenZeppelin and then use the checkIfContract function to prevent people from submitting addresses as entries

Updates

Lead Judging Commences

Hamiltonite Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

smart contract wallet without fallback/receive will halt the raffle

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.