Duplication check logic flaw
Summary
Inside of the 'enterRaffle' function there is a logical flaw with checking for duplicate players.
Vulnerability Details
We are only checking for duplicate players AFTER we pushed them to the array.
This means that its technically possible to have duplicated players in the raffle.
Our duplication check also only detects duplicates that enter in the same transaction.
So a player could easily bypass this check by entering the raffle as often as he wants by using a new transaction for every new entry.
Impact
Critical due to the nature of the bug.
The bug is easily exploitable by using a new transaction to gain entry to the raffle with the same address as often as you wish.
Tools Used
Vs Code
Foundry
Recommendations
First of all, write PROPER tests in your foundry code base.
There is a test for this but the test is also flawed so it could not detect the actual bug.
A potential solution to prevent this bug:
Use a mapping or database to check a players status
Check newPlayers for duplicates
Then check the newPlayers against the actual players mapping/database for duplicates
If that check passes, add the newPlayers to the existing players mapping/database to enter the raffle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.