First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Can Enter Duplicate Player

0xkeesmark

Summary

The documentation specifies that duplicate entrants are not permitted in the raffle. However, the enterRaffle function does not currently prevent the same address from entering multiple times.

Vulnerability Details

The code snippet provided checks for duplicate entries by comparing each player with the next one in the players array. This method fails to detect duplicates if the same address is not adjacent in the list, particularly when comparing the first and last entrants.

for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(
players[i] != players[j],
"PuppyRaffle: Duplicate player"
);
}
}

Impact

Allowing duplicate players can lead to an unfair advantage and disrupt the intended fairness of the raffle game.

Tools Used

Manual Review

Recommendations

The current method of duplicate checking is insufficient as it only checks for consecutive duplicate players. Instead, a mapping should be used to keep track of which addresses have already entered:

So fix something like this.

mapping(address => bool) public enteredPlayers;
for (uint256 i = 0; i < newPlayers.length; i++) {
address newPlayer = newPlayers[i];
require(!enteredPlayers[newPlayer], "cannot duplicate player");
players.push(newPlayer);
enteredPlayers[newPlayer] = true;
}
// delete this
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.