Submission Details
Severity:
`snek_raffle.vy::enter_raffle` function has no limit on the number of enters of the same wallet
Summary
snek_raffle.vy::enter_raffle function has no limit on the number of enters of the same wallet
Vulnerability Details
snek_raffle.vy::enter_raffle function does not check if msg.sender is in the list of players
Impact
This allows you to significantly increase your chances of winning, and given that the entire balance is sent to the winner
also this allows you to get your money back with a very high degree of probability.
Tools Used
Manual check
Recommendations
We could add mapping for this check
+participated: public(HashMap[address, bool])
+ERROR_ALREADY_ENTERED_RAFFLE: constant(String[100]) = "SnekRaffle: Participant already entered the raffle"
change snek_raffle.vy::enter_raffle function
def enter_raffle():
"""Enter the raffle by sending the entrance fee."""
assert msg.value == ENTRANCE_FEE, ERROR_SEND_MORE_TO_ENTER_RAFFLE
assert self.raffle_state == RaffleState.OPEN, ERROR_RAFFLE_NOT_OPEN
+ assert not self.participated[msg.sender], ERROR_ALREADY_ENTERED_RAFFLE
+ self.participated[msg.sender] = True
self.players.append(msg.sender)
log RaffleEntered(msg.sender)
and update snek_raffle.vy::fulfillRandomWords function
...
+ for i in range(len(self.players)):
+ del self.participated[self.players[i]]
self.players = []
self.raffle_state = RaffleState.OPEN
...
Rewards breakdown
nSLOC
136This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.