First Flight #2: Puppy Raffle

Summary

Possible DoS attack could happen in changeFeeAddress() due to no zero address check

Vulnerability Details

This function does not check if the new fee address is the zero address.

Impact

If the function is called with the zero address, it will update the feeAddress to the zero address. This is not a problem on its own, but if the withdrawFees() function is called afterwards, it will attempt to send the fees to the zero address, which is not possible because the zero address does not have a balance. This will cause the withdrawFees() function to fail and consume all the gas available for the transaction.

Here's a potential attack scenario:

Let's say an attacker wants to disrupt the withdrawFees() function. The attacker could call the changeFeeAddress() function with the zero address as the new fee address. The changeFeeAddress() function will then update the feeAddress to the zero address. When the withdrawFees() function is called afterwards, it will attempt to send the fees to the zero address, causing the function to fail and consume all the gas available for the transaction.

Tools Used

Remxi, Foundry, PhindAI

Recommendations

To mitigate this issue, the changeFeeAddress() function should check if the new fee address is the zero address before updating the feeAddress.
This can be done using the require statement with the condition:

This check ensures that the function does not proceed if the new fee address is the zero address.

Here's how the changeFeeAddress() function could be modified to include this check:

In this modified version of the changeFeeAddress() function, the function will revert the transaction if the new fee address is the zero address. This prevents the withdrawFees() function from failing and consuming all the gas available for the transaction, mitigating the risk of a DoS attack.