Submission Details
Severity:
Check for Duplicates leads to increase in gas cost and resulting in increase in enter fees for players.
Summary
The function enterRaffle() checks for the duplicate entrants with for loop.
Vulnerability Details
The for loop used increases the gas the gas cost every time the loop runs.
Scenario
1st raffle for 50 players amount of gas used = x
2nd raffle for 50 players amount of gas used >>> x
POC
code ''' /// EnterRaffle ///
/////////////////////
function testGasCost() public {
vm.txGasPrice(2);
uint256 playersNum = 50;
address[] memory players = new address[](playersNum);
for (uint256 i=0; i<playersNum; i++){
players[i] = address(i);
}
uint256 gasStart = gasleft();
puppyRaffle.enterRaffle{value: entranceFee*playersNum}(players);
uint256 gasEnd = gasleft();
uint256 gasUsed = (gasStart - gasEnd) * tx.gasprice;
console.log("Gas Cost",gasUsed);
for (uint256 i=0; i<playersNum; i++){
players[i]=address(i + playersNum);
}
gasStart = gasleft();
puppyRaffle.enterRaffle{value: entranceFee*playersNum}(players);
gasEnd = gasleft();
uint256 gasUsedAgain = (gasStart - gasEnd) * tx.gasprice;
console.log("Gas Cost 2nd time",gasUsedAgain);
assert(gasUsed < gasUsedAgain);
}
'''
Impact
It will be impossible for the players to enter the raffle with the increased gas cost.
Tools Used
Manual Review
Recommendations
It is recommended not to use for loops.
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
denial-of-service-in-enter-raffle
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.