Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Denial of Service via Unbounded Loop in enterRaffle()

dparaste48

Root + Impact

The enterRaffle() function uses an O(n²) nested loop for duplicate checking, causing gas costs to increase quadratically as more players join. This leads to a Denial of Service where the raffle becomes unusable after approximately 100-200 players enter.

Description

Describe the normal behavior in one or more sentences:

  • New players should be able to enter the raffle by paying the entrance fee multiplied by the number of addresses they are entering

  • The function should validate that no duplicate addresses are being entered

Explain the specific issue or problem in one or more sentences:

  • The duplicate check uses nested loops that iterate over the entire players array, resulting in O(n²) time complexity

  • As the array grows, the gas cost increases exponentially, eventually exceeding the block gas limit

  • After approximately 100-200 players have entered, new entrants cannot join because their transaction runs out of gas

// @ src/PuppyRaffle.sol:79-92
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
players.push(newPlayers[i]);
}
// Check for duplicates - O(n²) complexity
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
emit RaffleEnter(newPlayers);
}

Risk

Likelihood:
Reason 1: Occurs naturally as players join the raffle through normal usage
Reason 2: Can be weaponized by an attacker entering many addresses to accelerate the DoS

Impact:
Impact 1: Raffle becomes completely unusable after 100-200 players, preventing new entrants
Impact 2: Contract may never reach the minimum 4-player requirement if DoS occurs early, locking all funds

Proof of Concept

Place the following test in test/AuditTest.t.sol:

function testDosEnterRaffle() public {
vm.txGasPrice(1);
// Enter first 100 players
uint256 numPlayers = 100;
address[] memory players = new address[](numPlayers);
for (uint256 i = 0; i < numPlayers; i++) {
players[i] = address(uint160(i));
}
uint256 gasStart = gasleft();
puppyRaffle.enterRaffle{value: entranceFee * numPlayers}(players);
uint256 gasEnd = gasleft();
uint256 gasUsedFirstBatch = gasStart - gasEnd;
// Enter second 100 players
address[] memory players2 = new address[](numPlayers);
for (uint256 i = 0; i < numPlayers; i++) {
players2[i] = address(uint160(i + numPlayers));
}
gasStart = gasleft();
puppyRaffle.enterRaffle{value: entranceFee * numPlayers}(players2);
gasEnd = gasleft();
uint256 gasUsedSecondBatch = gasStart - gasEnd;
console.log("Gas used for first 100 players: ", gasUsedFirstBatch);
console.log("Gas used for second 100 players: ", gasUsedSecondBatch);
assert(gasUsedSecondBatch > gasUsedFirstBatch);
}

Run with: forge test --mt testDosEnterRaffle -vv

Expected output:

Gas used for first 100 players: 6503103
Gas used for second 100 players: 18995334

The second batch uses approximately 3x more gas, demonstrating the quadratic growth.

Recommended Mitigation

Use a mapping for O(1) duplicate checks instead of nested loops:

+ mapping(address => uint256) public addressToPlayerIndex;
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
+ require(addressToPlayerIndex[newPlayers[i]] == 0, "PuppyRaffle: Duplicate player");
players.push(newPlayers[i]);
+ addressToPlayerIndex[newPlayers[i]] = players.length;
}
- for (uint256 i = 0; i < players.length - 1; i++) {
- for (uint256 j = i + 1; j < players.length; j++) {
- require(players[i] != players[j], "PuppyRaffle: Duplicate player");
- }
- }
emit RaffleEnter(newPlayers);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] `PuppyRaffle: enterRaffle` Use of gas extensive duplicate check leads to Denial of Service, making subsequent participants to spend much more gas than prev ones to enter

## Description `enterRaffle` function uses gas inefficient duplicate check that causes leads to Denial of Service, making subsequent participants to spend much more gas than previous users to enter. ## Vulnerability Details In the `enterRaffle` function, to check duplicates, it loops through the `players` array. As the `player` array grows, it will make more checks, which leads the later user to pay more gas than the earlier one. More users in the Raffle, more checks a user have to make leads to pay more gas. ## Impact As the arrays grows significantly over time, it will make the function unusable due to block gas limit. This is not a fair approach and lead to bad user experience. ## POC In existing test suit, add this test to see the difference b/w gas for users. once added run `forge test --match-test testEnterRaffleIsGasInefficient -vvvvv` in terminal. you will be able to see logs in terminal. ```solidity function testEnterRaffleIsGasInefficient() public { vm.startPrank(owner); vm.txGasPrice(1); /// First we enter 100 participants uint256 firstBatch = 100; address[] memory firstBatchPlayers = new address[](firstBatch); for(uint256 i = 0; i < firstBatchPlayers; i++) { firstBatch[i] = address(i); } uint256 gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * firstBatch}(firstBatchPlayers); uint256 gasEnd = gasleft(); uint256 gasUsedForFirstBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the first 100 partipants is:", gasUsedForFirstBatch); /// Now we enter 100 more participants uint256 secondBatch = 200; address[] memory secondBatchPlayers = new address[](secondBatch); for(uint256 i = 100; i < secondBatchPlayers; i++) { secondBatch[i] = address(i); } gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * secondBatch}(secondBatchPlayers); gasEnd = gasleft(); uint256 gasUsedForSecondBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the next 100 participant is:", gasUsedForSecondBatch); vm.stopPrank(owner); } ``` ## Recommendations Here are some of recommendations, any one of that can be used to mitigate this risk. 1. User a mapping to check duplicates. For this approach you to declare a variable `uint256 raffleID`, that way each raffle will have unique id. Add a mapping from player address to raffle id to keep of users for particular round. ```diff + uint256 public raffleID; + mapping (address => uint256) public usersToRaffleId; . . function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); + usersToRaffleId[newPlayers[i]] = true; } // Check for duplicates + for (uint256 i = 0; i < newPlayers.length; i++){ + require(usersToRaffleId[i] != raffleID, "PuppyRaffle: Already a participant"); - for (uint256 i = 0; i < players.length - 1; i++) { - for (uint256 j = i + 1; j < players.length; j++) { - require(players[i] != players[j], "PuppyRaffle: Duplicate player"); - } } emit RaffleEnter(newPlayers); } . . . function selectWinner() external { //Existing code + raffleID = raffleID + 1; } ``` 2. Allow duplicates participants, As technically you can't stop people participants more than once. As players can use new address to enter. ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); } emit RaffleEnter(newPlayers); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!