Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Misleading NatSpec in PuppyRaffle::enterRaffle() contradicts duplicate address restriction

georgibuilds

Root + Impact

Description

The NatSpec documentation for PuppyRaffle::enterRaffle() states
"You can use this to enter yourself multiple times" but the
implementation explicitly rejects duplicate addresses via a
nested loop check. This contradiction misleads developers and
integrators who rely on documentation to understand protocol
behavior, potentially causing integration errors or incorrect
assumptions about the protocol's intended functionality.

/// @notice this is how players enter the raffle

/// @notice they have to pay the entrance fee * the number of players

// @> NatSpec claims multiple entries allowed:

/// @notice duplicate entrants are not allowed

/// 1. `address[] participants`: A list of addresses that enter.

/// You can use this to enter yourself multiple times, // @> CONTRADICTION

/// or yourself and a group of your friends.

function enterRaffle(address[] memory newPlayers) public payable {

...

// @> But code explicitly rejects duplicates:

for (uint256 i = 0; i < players.length - 1; i++) {

for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j],

"PuppyRaffle: Duplicate player");

}

Risk

Likelihood:

Likelihood:
- Present in every deployment from day one
- Any developer reading documentation encounters this
Impact:
- Developers may build integrations expecting
  multiple entries per address
- Integration failures when duplicate check reverts
- Trust issues with protocol documentation qualit

Proof of Concept

Steps to observe:

Read NatSpec: "enter yourself multiple times"
Call enterRaffle([yourAddr, yourAddr])
Transaction reverts: "PuppyRaffle: Duplicate player"
Documentation directly contradicts implementation

function test_misleading_natspec() public {

address[] memory players = new address[](2);

players[0] = makeAddr("Alice");

players[1] = makeAddr("Alice"); // same address twice

vm.deal(players[0], entranceFee * 2);

vm.prank(players[0]);

// NatSpec says this should work

// Code says it reverts

vm.expectRevert("PuppyRaffle: Duplicate player");

puppyRaffle.enterRaffle{value: entranceFee * 2}(players);

}

Recommended Mitigation

Update the NatSpec to accurately reflect the duplicate
address restriction. Remove the misleading claim about
entering multiple times with the same address.

/// @notice this is how players enter the raffle

/// @notice they have to pay the entrance fee * the number of players

- /// @notice duplicate entrants are not allowed

- /// 1. `address[] participants`: A list of addresses that enter.

- /// You can use this to enter yourself multiple times,

- /// or yourself and a group of your friends.

+ /// @notice duplicate addresses are not allowed

+ /// 1. `address[] participants`: A list of unique addresses that enter.

+ /// You can enter yourself and a group of friends,

+ /// but each address may only appear once per raffle.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!