First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Bypassing the Requirement for a Minimum Number of Players

emanherawy

Summary

The PuppyRaffle contract includes a condition that requires a minimum of four players to participate before the selectWinner function can be executed. However, it is possible for a user to call the refund function after joining the raffle and, if no other players have joined or all participants have refunded, this condition can be bypassed, allowing the selectWinner function to be executed with fewer than four players.

Vulnerability Details

The vulnerability arises from the interaction between the refund function and the condition in the selectWinner function:

A user joins the raffle by calling the enterRaffle function.
Subsequently, the user calls the refund function to receive a refund of their entrance fee, effectively removing themselves from the list of active players.
If no other users have joined the raffle or if all participants have requested refunds and the players array is empty, the condition require(players.length >= 4, "PuppyRaffle: Need at least 4 players") is no longer met.
This allows the selectWinner function to be executed with fewer than four players, potentially leading to an unintended situation where the raffle takes place without the minimum required participants.

Impact

Medium: Bypassing the requirement for a minimum number of players in the selectWinner function can lead to situations where the raffle is conducted with fewer participants than intended, potentially impacting the fairness and expected outcomes of the raffle.

Tools Used

Manual review of the smart contract code.

Recommendations

To address the vulnerability and ensure that the condition for a minimum number of players is consistently met, consider implementing the following recommendation:

Update the refund function to update the players array and reduce its length by one when a user requests a refund. or use mapping instead of array to store players with adding a counter to keep track of the number of players. the counter will be incremented when a new player joins and decremented when a player refunds.

By implementing this recommendation, the contract can maintain the intended minimum participation requirement for the selectWinner function, enhancing the fairness of the raffle.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze

zero address can win the raffle

Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.