[H-4] Denial of Service via Zero-Address Winner Selection After Refunds
[H-4] Denial of Service via Zero-Address Winner Selection After Refunds
Title: Denial of Service via Zero-Address Winner Selection After Refunds
Impact: High
Likelihood: Medium
Description
-
The
selectWinnerfunction randomly selects a winner index from theplayersarray and mints an NFT to that address. Therefundfunction sets a player's slot toaddress(0)rather than removing the entry, leaving zero-address "holes" in the array. -
When
selectWinnerpicks an index corresponding to a refunded player, it attempts to mint an NFT toaddress(0). OpenZeppelin's ERC721_safeMintfunction contains an internal checkrequire(to != address(0), "ERC721: mint to the zero address"), which causes the entireselectWinnertransaction to revert. As more players refund, the probability of selecting a zero-address increases, making the raffle progressively harder to close.
Risk
Likelihood:
-
Any player can call
refundto set their slot toaddress(0). After just one refund out of 4 players, there is a 25% chance thatselectWinnerpicks the zero-address and reverts. With 2 refunds out of 4 players, the probability rises to 50%, and with 3 refunds, the function will almost certainly revert. -
An attacker could intentionally enter the raffle with multiple addresses and refund them all to intentionally inflate the number of zero-address slots, making the DoS condition nearly certain.
Impact:
-
When
selectWinnerreverts due to a zero-address winner, the raffle cannot be completed. The ETH prize pool remains locked in the contract, and no NFT is minted. All legitimate players who did not refund are unable to receive their winnings. -
The raffleStartTime is updated only after a successful
selectWinnercall, so the raffle duration does not reset on reverts. However, since the function keeps reverting, the raffle is permanently stuck and no new round can begin.
Proof of Concept
This PoC shows that after a single refund, selectWinner can revert when the random index lands on the refunded slot. The _safeMint call fails because OpenZeppelin's ERC721 implementation explicitly prohibits minting to address(0). Since the winner index is determined by a hash, the attack cannot be predicted in advance — it is probabilistic, but as more players refund, the likelihood of the DoS approaches certainty. An attacker can intentionally refund multiple entries to guarantee the function never succeeds.
Recommended Mitigation
Adding a require(winner != address(0)) check prevents the function from reverting deep inside _safeMint. However, this is a partial fix — the better long-term solution is to compact the players array in refund by swapping the removed entry with the last element and popping, which eliminates zero-address holes entirely and keeps the array dense:
This swap-and-pop approach removes the zero-address slot entirely, keeping only active players in the array and eliminating the root cause of this vulnerability.
Lead Judging Commences
[H-04] `PuppyRaffle::refund` replaces an index with address(0) which can cause the function `PuppyRaffle::selectWinner` to always revert
## Description `PuppyRaffle::refund` is supposed to refund a player and remove him from the current players. But instead, it replaces his index value with address(0) which is considered a valid value by solidity. This can cause a lot issues because the players array length is unchanged and address(0) is now considered a player. ## Vulnerability Details ```javascript players[playerIndex] = address(0); @> uint256 totalAmountCollected = players.length * entranceFee; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); _safeMint(winner, tokenId); ``` If a player refunds his position, the function `PuppyRaffle::selectWinner` will always revert. Because more than likely the following call will not work because the `prizePool` is based on a amount calculated by considering that that no player has refunded his position and exit the lottery. And it will try to send more tokens that what the contract has : ```javascript uint256 totalAmountCollected = players.length * entranceFee; uint256 prizePool = (totalAmountCollected * 80) / 100; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); ``` However, even if this calls passes for some reason (maby there are more native tokens that what the players have sent or because of the 80% ...). The call will thankfully still fail because of the following line is minting to the zero address is not allowed. ```javascript _safeMint(winner, tokenId); ``` ## Impact The lottery is stoped, any call to the function `PuppyRaffle::selectWinner`will revert. There is no actual loss of funds for users as they can always refund and get their tokens back. However, the protocol is shut down and will lose all it's customers. A core functionality is exposed. Impact is high ### Proof of concept To execute this test : forge test --mt testWinnerSelectionRevertsAfterExit -vvvv ```javascript function testWinnerSelectionRevertsAfterExit() public playersEntered { vm.warp(block.timestamp + duration + 1); vm.roll(block.number + 1); // There are four winners. Winner is last slot vm.prank(playerFour); puppyRaffle.refund(3); // reverts because out of Funds vm.expectRevert(); puppyRaffle.selectWinner(); vm.deal(address(puppyRaffle), 10 ether); vm.expectRevert("ERC721: mint to the zero address"); puppyRaffle.selectWinner(); } ``` ## Recommendations Delete the player index that has refunded. ```diff - players[playerIndex] = address(0); + players[playerIndex] = players[players.length - 1]; + players.pop() ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.