Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-3] Denial of Service via Gas-Intensive Duplicate Check in enterRaffle

0xaljzoli

[H-3] Denial of Service via Gas-Intensive Duplicate Check in `enterRaffle`

Title: Denial of Service via Gas-Intensive Duplicate Check in enterRaffle

Impact: High

Likelihood: Medium

Description

The enterRaffle function is meant to allow new players to join the raffle by providing an array of participant addresses and paying the corresponding entrance fee. Duplicate detection should prevent the same address from being entered twice.
The duplicate check uses a nested O(N*M) loop that iterates over the entire players array for every new entry. As the player list grows, the gas cost of this check grows quadratically. With a sufficiently large players array, the gas cost exceeds the block gas limit, making it impossible for anyone to call enterRaffle and permanently locking the raffle in its current state.

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]); // @> Players are pushed BEFORE duplicate check

}

- // Check for duplicates — O(N*M) where N = newPlayers, M = total players

for (uint256 i = 0; i < players.length - 1; i++) {

for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j], "PuppyRaffle: Duplicate player");

}

Risk

Likelihood:

As more players enter the raffle, the nested loop cost grows as O(players.length^2). On Ethereum mainnet with a ~30M gas block limit, the function becomes uncalled once the players array reaches roughly a few thousand entries, since the duplicate check alone will exceed the block gas limit.
An attacker could intentionally enter the raffle with many addresses to accelerate the array growth and force the DoS condition much sooner. Each new batch of unique addresses increases the gas cost for all future entrants.

Impact:

Once the gas cost exceeds the block gas limit, no new player can enter the raffle. The contract is permanently stuck in its current round — selectWinner can still be called (it does not iterate the array in the same way), but new participation is permanently blocked.
The raffle's core functionality is destroyed. Legitimate users who attempt to join are forced to pay excessive gas or their transactions simply revert, effectively killing the protocol's user acquisition and revenue model.

Proof of Concept

function testDoSFromDuplicateCheck() public {

// Attacker enters 100 unique addresses in batches

for (uint256 i = 0; i < 100; i++) {

address[] memory newPlayers = new address[](1);

newPlayers[0] = address(uint160(i + 1000));

puppyRaffle.enterRaffle{value: entranceFee}(newPlayers);

}

// Now the players array has 100 entries

// The next call must compare 101 * 100 / 2 = 5,050 address pairs

address[] memory newPlayers = new address[](1);

newPlayers[0] = address(9999);

// This may still work, but gas is already very high

// At ~1000 players: 1000 * 999 / 2 = ~500,000 comparisons

// At ~5000 players: 5000 * 4999 / 2 = ~12.5M comparisons

// This exceeds block gas limit — transaction reverts

// Simulate with vm.assume to show gas exhaustion

for (uint256 i = 0; i < 4900; i++) {

address[] memory batch = new address[](1);

batch[0] = address(uint160(i + 2000));

puppyRaffle.enterRaffle{value: entranceFee}(batch);

}

// players.length is now ~5000

// Next enterRaffle call will cost > 30M gas and revert

newPlayers[0] = address(88888);

vm.expectRevert();

puppyRaffle.enterRaffle{value: entranceFee}(newPlayers);

}

This PoC demonstrates how the nested loop causes gas to grow quadratically. After an attacker fills the array with thousands of addresses, the gas required to perform the duplicate check alone exceeds the Ethereum block gas limit of ~30 million gas, causing all subsequent enterRaffle calls to revert. No special permissions are needed — anyone can join the raffle to grow the array.

Recommended Mitigation

+ mapping(address => bool) public isPlayer;

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

+ require(!isPlayer[newPlayers[i]], "PuppyRaffle: Duplicate player");

+ isPlayer[newPlayers[i]] = true;

players.push(newPlayers[i]);

}

- // Check for duplicates

- for (uint256 i = 0; i < players.length - 1; i++) {

- for (uint256 j = i + 1; j < players.length; j++) {

- require(players[i] != players[j], "PuppyRaffle: Duplicate player");

- }

emit RaffleEnter(newPlayers);

}

Adding a mapping(address => bool) allows O(1) duplicate lookups instead of the O(N^2) nested loop. This reduces the gas cost from quadratic to linear, making the function callable regardless of how many players have joined. The mapping should also be reset in selectWinner and properly updated in refund to maintain consistency.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] `PuppyRaffle: enterRaffle` Use of gas extensive duplicate check leads to Denial of Service, making subsequent participants to spend much more gas than prev ones to enter

## Description `enterRaffle` function uses gas inefficient duplicate check that causes leads to Denial of Service, making subsequent participants to spend much more gas than previous users to enter. ## Vulnerability Details In the `enterRaffle` function, to check duplicates, it loops through the `players` array. As the `player` array grows, it will make more checks, which leads the later user to pay more gas than the earlier one. More users in the Raffle, more checks a user have to make leads to pay more gas. ## Impact As the arrays grows significantly over time, it will make the function unusable due to block gas limit. This is not a fair approach and lead to bad user experience. ## POC In existing test suit, add this test to see the difference b/w gas for users. once added run `forge test --match-test testEnterRaffleIsGasInefficient -vvvvv` in terminal. you will be able to see logs in terminal. ```solidity function testEnterRaffleIsGasInefficient() public { vm.startPrank(owner); vm.txGasPrice(1); /// First we enter 100 participants uint256 firstBatch = 100; address[] memory firstBatchPlayers = new address[](firstBatch); for(uint256 i = 0; i < firstBatchPlayers; i++) { firstBatch[i] = address(i); } uint256 gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * firstBatch}(firstBatchPlayers); uint256 gasEnd = gasleft(); uint256 gasUsedForFirstBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the first 100 partipants is:", gasUsedForFirstBatch); /// Now we enter 100 more participants uint256 secondBatch = 200; address[] memory secondBatchPlayers = new address[](secondBatch); for(uint256 i = 100; i < secondBatchPlayers; i++) { secondBatch[i] = address(i); } gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * secondBatch}(secondBatchPlayers); gasEnd = gasleft(); uint256 gasUsedForSecondBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the next 100 participant is:", gasUsedForSecondBatch); vm.stopPrank(owner); } ``` ## Recommendations Here are some of recommendations, any one of that can be used to mitigate this risk. 1. User a mapping to check duplicates. For this approach you to declare a variable `uint256 raffleID`, that way each raffle will have unique id. Add a mapping from player address to raffle id to keep of users for particular round. ```diff + uint256 public raffleID; + mapping (address => uint256) public usersToRaffleId; . . function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); + usersToRaffleId[newPlayers[i]] = true; } // Check for duplicates + for (uint256 i = 0; i < newPlayers.length; i++){ + require(usersToRaffleId[i] != raffleID, "PuppyRaffle: Already a participant"); - for (uint256 i = 0; i < players.length - 1; i++) { - for (uint256 j = i + 1; j < players.length; j++) { - require(players[i] != players[j], "PuppyRaffle: Duplicate player"); - } } emit RaffleEnter(newPlayers); } . . . function selectWinner() external { //Existing code + raffleID = raffleID + 1; } ``` 2. Allow duplicates participants, As technically you can't stop people participants more than once. As players can use new address to enter. ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); } emit RaffleEnter(newPlayers); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!