Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing Validation for Zero-Length Players Array

dod4ufn

Root + Impact

The enterRaffle function does not validate that the newPlayers array contains at least one address. An attacker can call the function with an empty array, emit a RaffleEnter event with no actual players, and waste transactions.

Description

The normal behavior is that players submit a non-empty list of addresses to enter the raffle with the appropriate ETH payment.

The issue is that the function accepts empty arrays, allowing calls with no players and no payment, which emits events that may confuse off-chain tracking systems.

// Root cause in the codebase with @> marks to highlight the relevant section

@> function enterRaffle(address[] memory newPlayers) public payable {

@> require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]);

}

// ...

emit RaffleEnter(newPlayers);

}

Risk

Likelihood:

Callers can trivially invoke the function with an empty array (address[] memory newPlayers = new address[](0))
The require check passes because 0 ETH is required for 0 players

Impact:

Misleading events are emitted with no actual participants
Potential confusion in off-chain event indexing or monitoring systems
Wasted block space for no value

Proof of Concept

// attacker calls:

enterRaffle(new address[](0)); // msg.value = 0, condition passes, event emitted

Recommended Mitigation

function enterRaffle(address[] memory newPlayers) public payable {

+ require(newPlayers.length > 0, "PuppyRaffle: Must enter at least one player");

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]);

}

// ...

emit RaffleEnter(newPlayers);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!