Submission Details
Severity:
DOS for new entrants
Summary
New players can be blocked from entering the raffle.
Vulnerability Details
After two players have been refunded, the duplicate address checker will always pass as there will be two 0 addresses in the players array.
function testDOS() public playersEntered {
vm.prank(playerOne);
puppyRaffle.refund(0);
vm.prank(playerTwo);
puppyRaffle.refund(1);
address[] memory players = new address[](4);
players[0] = playerFive;
players[1] = playerSix;
players[2] = playerSeven;
players[3] = playerEight;
vm.expectRevert("PuppyRaffle: Duplicate player");
puppyRaffle.enterRaffle{value: entranceFee * 4}(players);
}
Impact
Doesn't allow raffle to function as intended and allow new players. Can lead to loss of funds where a genuine player enters and malicious actor performs DOS on contract as select winner will not be able run with less than 4 players.
Tools Used
Manual review
Recommendations
Delete addresses from players array after refund instead of changing to 0 address, will need to use pop instead of built in delete.
Updates
Lead Judging Commences
Hamiltonite almost 2 years ago
Submission Judgement Published Assigned finding tags:
denial-of-service-in-enter-raffle
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.