Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

getActivePlayerIndex Returns Zero for Non-Existent Players leading to Index Confusion

dakthehack

Description

The PuppyRaffle::getActivePlayerIndex function returns 0 both when a player is not found AND when a player is legitimately at index 0. This ambiguity creates confusion about whether an address is actually in the raffle.

Expected behavior: The function should clearly distinguish between "player is at index 0" and "player not found". Standard practice is to revert or return a value outside the valid range for "not found".

Actual behavior: The function returns the same value (0) for two completely different scenarios, making it impossible to determine if an address is actually in the raffle or not when receiving index 0.

function getActivePlayerIndex(address player) external view returns (uint256) {

for (uint256 i = 0; i < players.length; i++) {

if (players[i] == player) {

return i;

}

return 0; // @> Returns 0 for "not found" but 0 is a valid index!

}

While the refund() function has a check that prevents direct exploitation, the misleading return value creates dangerous assumptions for users and integrating contracts.

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

// ... refund logic

}

Risk

Likelihood:

High - Occurs every time someone queries their index when not in the raffle
Affects any user interface or contract that calls getActivePlayerIndex
Front-end implementations will misinterpret the return value
Creates confusion in all external integrations

Impact:

Users who are not in the raffle are told they're at index 0
Cannot distinguish between "player at index 0" and "not found"
External contracts integrating with PuppyRaffle will have broken logic
Users may attempt to call refund(0) thinking it's their index when they're not in the raffle

Proof of Concept

Add to test/PuppyRaffleTest.t.sol:

function test_getActivePlayerIndexReturnsZeroForNonExistentPlayers() public {

// Setup: Three players enter

address alice = address(1);

address bob = address(2);

address charlie = address(3);

address[] memory players = new address[](3);

players[0] = alice;

players[1] = bob;

players[2] = charlie;

vm.deal(alice, entranceFee * 3);

vm.prank(alice);

puppyRaffle.enterRaffle{value: entranceFee * 3}(players);

// Query legitimate player at index 0

uint256 aliceIndex = puppyRaffle.getActivePlayerIndex(alice);

// Query non-existent players

address notInRaffle = address(99);

uint256 notInRaffleIndex = puppyRaffle.getActivePlayerIndex(notInRaffle);

address alsoNotInRaffle = address(100);

uint256 alsoNotInRaffleIndex = puppyRaffle.getActivePlayerIndex(alsoNotInRaffle);

emit log("=== Index Ambiguity Demonstration ===");

emit log_named_address("Player at index 0", puppyRaffle.players(0));

emit log_named_uint("Alice (at index 0) returns", aliceIndex);

emit log_named_uint("Non-participant (address 99) returns", notInRaffleIndex);

emit log_named_uint("Non-participant (address 100) returns", alsoNotInRaffleIndex);

// All return 0 - impossible to distinguish!

assertEq(aliceIndex, 0);

assertEq(notInRaffleIndex, 0);

assertEq(alsoNotInRaffleIndex, 0);

}

Run: forge test --match-test test_getActivePlayerIndexReturnsZeroForNonExistentPlayers -vv

Output:

Player at index 0: 0x0000000000000000000000000000000000000001

Alice (at index 0) returns: 0

Non-participant (address 99) returns: 0

Non-participant (address 100) returns: 0

All queries return 0 making it impossible to distinguish between a legitimate player at index 0 and non-existent players.

Recommended Mitigation

Revert instead of returning 0 when player is not found:

function getActivePlayerIndex(address player) external view returns (uint256) {

for (uint256 i = 0; i < players.length; i++) {

if (players[i] == player) {

return i;

}

- return 0;

+ revert("PuppyRaffle: Player not found");

}

This makes it clear when a player doesn't exist instead of returning a misleading index value.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 8 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-01] Ambiguous index returned from PuppyRaffle::getActivePlayerIndex(address), leading to possible refund failures

## Description The `PuppyRaffle::getActivePlayerIndex(address)` returns `0` when the index of this player's address is not found, which is the same as if the player would have been found in the first element in the array. This can trick calling logic to think the address was found and then attempt to execute a `PuppyRaffle::refund(uint256)`. ## Vulnerability Details The `PuppyRaffle::refund()` function requires the index of the player's address to preform the requested refund. ```solidity /// @param playerIndex the index of the player to refund. You can find it externally by calling `getActivePlayerIndex` function refund(uint256 playerIndex) public; ``` In order to have this index, `PuppyRaffle::getActivePlayerIndex(address)` must be used to learn the correct value. ```solidity /// @notice a way to get the index in the array /// @param player the address of a player in the raffle /// @return the index of the player in the array, if they are not active, it returns 0 function getActivePlayerIndex(address player) external view returns (int256) { // find the index... // if not found, then... return 0; } ``` The logic in this function returns `0` as the default, which is as stated in the `@return` NatSpec. However, this can create an issue when the calling logic checks the value and naturally assumes `0` is a valid index that points to the first element in the array. When the players array has at two or more players, calling `PuppyRaffle::refund()` with the incorrect index will result in a normal revert with the message "PuppyRaffle: Only the player can refund", which is fine and obviously expected. On the other hand, in the event a user attempts to perform a `PuppyRaffle::refund()` before a player has been added the EvmError will likely cause an outrageously large gas fee to be charged to the user. This test case can demonstrate the issue: ```solidity function testRefundWhenIndexIsOutOfBounds() public { int256 playerIndex = puppyRaffle.getActivePlayerIndex(playerOne); vm.prank(playerOne); puppyRaffle.refund(uint256(playerIndex)); } ``` The results of running this one test show about 9 ETH in gas: ```text Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: EvmError: Revert] testRefundWhenIndexIsOutOfBounds() (gas: 9079256848778899449) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 914.01µs ``` Additionally, in the very unlikely event that the first player to have entered attempts to preform a `PuppyRaffle::refund()` for another user who has not already entered the raffle, they will unwittingly refund their own entry. A scenario whereby this might happen would be if `playerOne` entered the raffle for themselves and 10 friends. Thinking that `nonPlayerEleven` had been included in the original list and has subsequently requested a `PuppyRaffle::refund()`. Accommodating the request, `playerOne` gets the index for `nonPlayerEleven`. Since the address does not exist as a player, `0` is returned to `playerOne` who then calls `PuppyRaffle::refund()`, thereby refunding their own entry. ## Impact 1. Exorbitantly high gas fees charged to user who might inadvertently request a refund before players have entered the raffle. 2. Inadvertent refunds given based in incorrect `playerIndex`. ## Recommendations 1. Ideally, the whole process can be simplified. Since only the `msg.sender` can request a refund for themselves, there is no reason why `PuppyRaffle::refund()` cannot do the entire process in one call. Consider refactoring and implementing the `PuppyRaffle::refund()` function in this manner: ```solidity /// @dev This function will allow there to be blank spots in the array function refund() public { require(_isActivePlayer(), "PuppyRaffle: Player is not active"); address playerAddress = msg.sender; payable(msg.sender).sendValue(entranceFee); for (uint256 playerIndex = 0; playerIndex < players.length; ++playerIndex) { if (players[playerIndex] == playerAddress) { players[playerIndex] = address(0); } } delete existingAddress[playerAddress]; emit RaffleRefunded(playerAddress); } ``` Which happens to take advantage of the existing and currently unused `PuppyRaffle::_isActivePlayer()` and eliminates the need for the index altogether. 2. Alternatively, if the existing process is necessary for the business case, then consider refactoring the `PuppyRaffle::getActivePlayerIndex(address)` function to return something other than a `uint` that could be mistaken for a valid array index. ```diff + int256 public constant INDEX_NOT_FOUND = -1; + function getActivePlayerIndex(address player) external view returns (int256) { - function getActivePlayerIndex(address player) external view returns (uint256) { for (uint256 i = 0; i < players.length; i++) { if (players[i] == player) { return int256(i); } } - return 0; + return INDEX_NOT_FOUND; } function refund(uint256 playerIndex) public { + require(playerIndex < players.length, "PuppyRaffle: No player for index"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!