Can Stop Players from Being Able to Enter
Summary
If more than 2 players call refund(), then no more players can enter the raffle.
Vulnerability Details
When a player calls refund(), the players array is replaced with address(0) at their corresponding index. If more than 2 players call refund(), 2 or more elements of the players array with contain the address(0) value.
enterRaffle() will then revert for all subsequent calls, as within the loop checking for duplicate players, players[i] == players[j], when players[i] = address(0) and players[j] = address(0).
Impact
Disrupts the functionality of the contract as no new players can enter if 2+ players have refunded. If this occurs at players.length = 3 (3 players entered raffle and 2 refunded) then the raffle/contract becomes 'stuck'. No new players can enter and SelectWinner() cannot be called as players.length < 4.
Tools Used
Recommendations
implement a check in enterRaffle() so that if players[i] (or players[j]) is == address(0), skip the require statement.
Lead Judging Commences
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.