No Zero Value Check in Addresses Added to `players` and in `changeFeeAddress`
Summary
The PuppyRaffle contract does not implement a zero value check when addresses are added to the players array or in the changeFeeAddress function. This means that zero addresses (address(0)) can be added as participants or set as the new fee address, which can have unintended consequences.
Vulnerability Details
In the enterRaffle function, there is no check to ensure that the addresses being added to the players array are not zero addresses. This can lead to zero addresses participating in the raffle, which is not intended behavior.
Similarly, in the changeFeeAddress function, a new fee address can be set to a zero address. This could result in fees being sent to an invalid or non-existent address.
Impact
Low to Medium: While not a critical vulnerability, allowing zero addresses to participate in the raffle or setting a zero address as the fee address can lead to undesirable behavior and could potentially impact contract functionality.
Tools Used
Manual review of the smart contract code.
Recommendations
To address the issue of zero value addresses, consider implementing the following recommendations:
-
In the
enterRafflefunction, add a check to ensure that the addresses being added to theplayersarray are not zero addresses. If a zero address is detected, reject the transaction or emit an error. -
In the
changeFeeAddressfunction, validate that the new fee address is not a zero address before allowing the change. Reject the transaction or emit an error if a zero address is provided.
By implementing these recommendations, the contract can enhance its security and avoid unexpected behavior related to zero addresses.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.