Winner can be the zero address
Summary
Winner can be the zero address.
Vulnerability Details
The refund function puts zero addresses in the players array when they leave the raffle. The selectWinner function does not account for this, and just picks a pseudorandom number to be the index of the winner. This means the winner can be address(0), i.e. nobody.
Impact
High. Funds would be burned.
Tools Used
n/a
Recommendations
Use a counter to track the number of active players. When somebody joins, increase the counter, when someone leaves, decrease it.
In selectWinner, first verify that there are active players by checking that the counter > 0.
Compute the winning index as normal. If that index has a value different than address(0), that player won.
If that index has a value of address(0), go to index (i + 1) % players.length. Repeat until you find a value not address(0) (person who hasn't withdrawn).
Lead Judging Commences
weak-randomness
Root cause: bad RNG Impact: manipulate winner
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.