Submission Details
Severity:
Player count not decreased in the refund function will lead to call the `selectWinner` function even if there are less than 4 players.
Summary
The refund function however refunds the amount of ETH to the player but fails to decrease the count of players.
Vulnerability Details
Not decreasing the count of players in the refunds function would cause to call the selectWinner function even if there are less than 4 players.
Impact
selectWinner function can be called even if there are less than 4 players.
Poc
function testPlayerCountNotDecreasedWhenRefund() public {
uint256 playersNum = 5;
address[] memory players = new address[](playersNum);
// Enter 5 players
for (uint i = 0; i < playersNum; i++) {
players[i] = address(i);
}
puppyRaffle.enterRaffle{value:entranceFee * playersNum}(players);
uint plyLenBef = puppyRaffle.playersLen();
vm.prank(players[1]);
puppyRaffle.refund(1);
uint plyLenAft = puppyRaffle.playersLen();
console.log(plyLenBef, plyLenAft);
assert(plyLenBef == plyLenAft);
}
Tools Used
VS Code
Recommendations
Use counter variable to count the players length instead of players,length.
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
refund-doesnt-reduce-players-array-size-causing-protocol-to-freeze
zero address can win the raffle
Funds are locked to no one. If someone gets the refund issue, they also got this issue. IMPACT: High Likelihood: High
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.