Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Quadratic duplicate check in `PuppyRaffle::enterRaffle` enables gas-based DoS and limits raffle scalability

kode_n_rolla

Description

Normal behavior: The enterRaffle function allows users to enter the raffle by providing a list of participant addresses and paying entranceFee * newPlayers.length. The function is expected to scale with the number of participants and reject only logically invalid entries such as duplicate addresses.
Issue: The function performs a quadratic (O(n²)) duplicate check over the entire players array after appending new entries. As the array grows, this check becomes increasingly expensive in gas, eventually making enterRaffle uncallable within realistic gas limits even when all provided addresses are unique. This creates a gas-based denial-of-service vector and imposes a hard scalability ceiling on the raffle.

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]);

}

// Quadratic duplicate check over entire players array

@> for (uint256 i = 0; i < players.length - 1; i++) {

@> for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j], "PuppyRaffle: Duplicate player");

}

emit RaffleEnter(newPlayers);

}

Risk

Likelihood:

As the raffle accumulates participants over time, the gas cost of enterRaffle grows quadratically with the size of the players array, making the issue reachable during normal protocol usage.
An attacker or heavy user can intentionally submit large batches of unique addresses in early rounds, accelerating growth of the players array and pushing the function beyond feasible gas limits.

Impact:

Legitimate users may be unable to enter the raffle once the players array exceeds a certain size, effectively causing a denial of service for new participants.
The protocol becomes non-scalable and unreliable under realistic gas constraints, undermining its usability and fairness without requiring any invalid input or privileged access.

Proof of Concept

A Foundry test demonstrates a concrete scalability ceiling by enforcing a fixed per-call gas limit. With GAS_LIMIT = 8_000_000, enterRaffle succeeds when adding 75 unique participants but fails at 76 participants (out-of-gas), despite all addresses being unique. This confirms the DoS condition is gas-driven (not a logical revert) and is caused by the quadratic duplicate check over the growing players array.

function _makeUniquePlayers(uint256 n, uint256 salt) internal pure returns (address[] memory arr) {

arr = new address[](n);

for (uint256 i = 0; i < n; i++) {

// deterministic unique addresses

arr[i] = address(uint160(uint256(keccak256(abi.encodePacked("P", salt, i)))));

}

function _tryEnter(uint256 n, uint256 gasLimit) internal returns (bool ok) {

address[] memory newPlayers = _makeUniquePlayers(n, 777);

bytes memory data = abi.encodeWithSelector(puppyRaffle.enterRaffle.selector, newPlayers);

// fund the caller for msg.value; we’ll use prank as playerOne

uint256 value = entranceFee * n;

vm.deal(playerOne, value);

vm.prank(playerOne);

(ok,) = address(puppyRaffle).call{value: value, gas: gasLimit}(data);

}

function test_gasDoS_duplicatesCheck_threshold() public {

// Pick a realistic per-tx gas limit to demonstrate scalability failure

uint256 GAS_LIMIT = 8_000_000;

// Establish a search range. 1..MAX_N

uint256 lo = 1;

uint256 hi = 600; // adjust up/down depending on runtime

// Ensure hi is failing; if not, increase it

while (_tryEnter(hi, GAS_LIMIT)) {

hi *= 2;

require(hi < 5000, "Increase upper bound safely");

}

// Binary search: find max n that still succeeds

while (lo + 1 < hi) {

uint256 mid = (lo + hi) / 2;

bool ok = _tryEnter(mid, GAS_LIMIT);

if (ok) {

lo = mid;

} else {

hi = mid;

}

console.log("Max entrants that fit in gas limit:", lo);

console.log("First failing entrants count:", hi);

// Assert that a failure threshold exists within tested range

assertTrue(lo >= 1);

assertFalse(_tryEnter(hi, GAS_LIMIT));

console.log("lo", lo);

console.log("hi", hi);

}

Recommended Mitigation

Avoid O(n²) duplicate checks over an ever-growing array. Track uniqueness in O(1) using a mapping that records whether an address is already active in the current raffle. This both prevents duplicates and keeps enterRaffle scalable.

A minimal fix is to introduce mapping(address => bool) public isActivePlayer;:

set to true when a player enters,
set to false on refund,
clear/reset appropriately when the raffle round ends (e.g., when deleting players).

contract PuppyRaffle is ERC721, Ownable {

using Address for address payable;

uint256 public immutable entranceFee;

address[] public players;

+ mapping(address => bool) public isActive;

...

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

- for (uint256 i = 0; i < newPlayers.length; i++) {

- players.push(newPlayers[i]);

- }

- // Check for duplicates

- for (uint256 i = 0; i < players.length - 1; i++) {

- for (uint256 j = i + 1; j < players.length; j++) {

- require(players[i] != players[j], "PuppyRaffle: Duplicate player");

- }

+ for (uint256 i = 0; i < newPlayers.length; i++) {

+ address p = newPlayers[i];

+ require(p != address(0), "PuppyRaffle: Invalid player");

+ require(!isActive[p], "PuppyRaffle: Duplicate player");

+ isActive[p] = true;

+ players.push(p);

+ }

emit RaffleEnter(newPlayers);

}

...

function refund(uint256 playerIndex) public {

address playerAddress = players[playerIndex];

require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");

require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

payable(msg.sender).sendValue(entranceFee);

- players[playerIndex] = address(0);

+ // Mark player inactive (keep array hole behavior if desired)

+ isActive[playerAddress] = false;

+ players[playerIndex] = address(0);

emit RaffleRefunded(playerAddress);

}

...

function selectWinner() external {

...

- delete players;

+ // Reset active flags for all players in this round

+ for (uint256 i = 0; i < players.length; i++) {

+ address p = players[i];

+ if (p != address(0)) {

+ isActive[p] = false;

+ }

+ delete players;

raffleStartTime = block.timestamp;

previousWinner = winner;

(bool success,) = winner.call{value: prizePool}("");

require(success, "PuppyRaffle: Failed to send prize pool to winner");

_safeMint(winner, tokenId);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 15 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] `PuppyRaffle: enterRaffle` Use of gas extensive duplicate check leads to Denial of Service, making subsequent participants to spend much more gas than prev ones to enter

## Description `enterRaffle` function uses gas inefficient duplicate check that causes leads to Denial of Service, making subsequent participants to spend much more gas than previous users to enter. ## Vulnerability Details In the `enterRaffle` function, to check duplicates, it loops through the `players` array. As the `player` array grows, it will make more checks, which leads the later user to pay more gas than the earlier one. More users in the Raffle, more checks a user have to make leads to pay more gas. ## Impact As the arrays grows significantly over time, it will make the function unusable due to block gas limit. This is not a fair approach and lead to bad user experience. ## POC In existing test suit, add this test to see the difference b/w gas for users. once added run `forge test --match-test testEnterRaffleIsGasInefficient -vvvvv` in terminal. you will be able to see logs in terminal. ```solidity function testEnterRaffleIsGasInefficient() public { vm.startPrank(owner); vm.txGasPrice(1); /// First we enter 100 participants uint256 firstBatch = 100; address[] memory firstBatchPlayers = new address[](firstBatch); for(uint256 i = 0; i < firstBatchPlayers; i++) { firstBatch[i] = address(i); } uint256 gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * firstBatch}(firstBatchPlayers); uint256 gasEnd = gasleft(); uint256 gasUsedForFirstBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the first 100 partipants is:", gasUsedForFirstBatch); /// Now we enter 100 more participants uint256 secondBatch = 200; address[] memory secondBatchPlayers = new address[](secondBatch); for(uint256 i = 100; i < secondBatchPlayers; i++) { secondBatch[i] = address(i); } gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * secondBatch}(secondBatchPlayers); gasEnd = gasleft(); uint256 gasUsedForSecondBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the next 100 participant is:", gasUsedForSecondBatch); vm.stopPrank(owner); } ``` ## Recommendations Here are some of recommendations, any one of that can be used to mitigate this risk. 1. User a mapping to check duplicates. For this approach you to declare a variable `uint256 raffleID`, that way each raffle will have unique id. Add a mapping from player address to raffle id to keep of users for particular round. ```diff + uint256 public raffleID; + mapping (address => uint256) public usersToRaffleId; . . function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); + usersToRaffleId[newPlayers[i]] = true; } // Check for duplicates + for (uint256 i = 0; i < newPlayers.length; i++){ + require(usersToRaffleId[i] != raffleID, "PuppyRaffle: Already a participant"); - for (uint256 i = 0; i < players.length - 1; i++) { - for (uint256 j = i + 1; j < players.length; j++) { - require(players[i] != players[j], "PuppyRaffle: Duplicate player"); - } } emit RaffleEnter(newPlayers); } . . . function selectWinner() external { //Existing code + raffleID = raffleID + 1; } ``` 2. Allow duplicates participants, As technically you can't stop people participants more than once. As players can use new address to enter. ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); } emit RaffleEnter(newPlayers); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!