First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

constructor() lacking address zero-check makes it possible to loose fees

Oozman

PoC for constructor() lacking address zero-check

Summary

The PuppyRaffle::constructor() function lacks a zero-check for feeAddress.

Vulnerability Details

The constructor does not check wether the feeAddress is different from 0 upon deployment.

Such a case would mean that 20% of the fees would be lost forever upon raffle selectWinner() and withdrawFees() completion.

Impact

MEDIUM IMPACT:

20% of the fees would be lost. It's not a hacking/stealing money case scenario, just a bad handling of money.

LOW LIKELYHOOD:

Constructor is only called once, while deploying. An owner who would accidentally input 0x0000000000000000000000000000000000000000 as a fee address in quite unlikely.

Tools Used

  • VScode

  • Slither

Recommendations

  1. Add a require into the constructor like so:

constructor(uint256 _entranceFee, address _feeAddress, uint256 _raffleDuration) ERC721("Puppy Raffle", "PR") {
+ require(_feeAddress != address(0), "Fee address cannot be the zero address");
entranceFee = _entranceFee;
feeAddress = _feeAddress;
raffleDuration = _raffleDuration;
raffleStartTime = block.timestamp;
rarityToUri[COMMON_RARITY] = commonImageUri;
rarityToUri[RARE_RARITY] = rareImageUri;
rarityToUri[LEGENDARY_RARITY] = legendaryImageUri;
rarityToName[COMMON_RARITY] = COMMON;
rarityToName[RARE_RARITY] = RARE;
rarityToName[LEGENDARY_RARITY] = LEGENDARY;
}
Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Zero address checks

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.