Submission Details
Severity:
getActivePlayerIndex invariant broken
Summary
The getActivePlayerIndex function returns 0 if a player isn't found in the active player array players. However, if the function is called with the address of the first person in that array, it will also return index 0, resulting in Schrödinger's player.
Vulnerability Details
function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
return 0;
}
Given the function above, the results of this test don't tell us anything - is playerOne, in the raffle, or out?
function testGetActivePlayerIndexManyPlayers() public {
address[] memory players = new address[](2);
players[0] = playerOne;
players[1] = playerTwo;
puppyRaffle.enterRaffle{value: entranceFee * 2}(players);
assertEq(puppyRaffle.getActivePlayerIndex(playerOne), 0);
}
Impact
Player in index 0 of the players[] array can never be sure if they are in or out of the raffle.
Tools Used
Foundry
Manual Review
Recommendations
Implement a revert if the provided address is not found:
function getActivePlayerIndex(address player) external view returns (uint256) {
for (uint256 i = 0; i < players.length; i++) {
if (players[i] == player) {
return i;
}
}
revert("Player not found in active players array");
}
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
getActivePlayerIndex can say a player is both entered at slot 0 and inactive
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.