Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Denial of Service via O(n^2) Duplicate Check in enterRaffle()

quanghoa27061998

Description

  • Denial of Service vulnerabilities allow an attacker to make a contract unusable. Common vectors include: unbounded loops over user-controlled arrays, external calls in loops that can be made to fail, block gas limit exploitation, and griefing via unexpected reverts.

  • The enterRaffle() function at PuppyRaffle.sol:86-90 uses nested loops O(n^2) to check for duplicate players across the entire players array. Gas costs grow quadratically — first 100 players cost ~6.5M gas, next 100 players (200 total) cost ~19M gas (2.9x ratio). At ~500 players, gas exceeds block gas limit (30M), making it impossible for anyone to enter. An attacker can exploit this by entering with many addresses early (refundable), blocking all legitimate players.

// @audit O(n^2) duplicate check — gas grows quadratically
for (uint256 i = 0; i < players.length - 1; i++) {
for (uint256 j = i + 1; j < players.length; j++) {
require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
Players Comparisons Approximate Gas
100 ~5,000 ~6.5M
200 ~20,000 ~19M
500 ~125,000 >30M (exceeds block limit)

Risk

Likelihood:

  • Can occur naturally with popular raffles (300+ legitimate players)

  • Can be deliberately triggered by a griefing attacker (cost is refundable)

Impact:

  • Raffle becomes unusable after ~300-500 players

  • Earlier entrants pay significantly less gas than later entrants (unfairness)

  • Attacker griefing cost is refundable via refund()

Proof of Concept

How the attack works:

  1. An attacker enters the raffle with a large batch of addresses (e.g., 300 unique addresses), paying entranceFee * 300

  2. Gas cost for subsequent enterRaffle() calls grows quadratically because the nested loop now iterates over 300+ existing entries for every new entrant

  3. At ~500 total players, the duplicate check exceeds the 30M block gas limit, making enterRaffle() impossible to execute for any new participant

  4. The attacker can then call refund() for all their addresses to recover their entrance fees, having effectively griefed the raffle at zero net cost

PoC code:

function testExploit_DoS_GasEscalation() public {
uint256 numPlayers = 100;
// First 100 players
address[] memory players100 = new address[](numPlayers);
for (uint256 i = 0; i < numPlayers; i++) {
players100[i] = address(uint160(i + 10));
}
uint256 gasStart100 = gasleft();
puppyRaffle.enterRaffle{value: entranceFee * numPlayers}(players100);
uint256 gasUsed100 = gasStart100 - gasleft();
// Second 100 players (total 200)
address[] memory players200 = new address[](numPlayers);
for (uint256 i = 0; i < numPlayers; i++) {
players200[i] = address(uint160(i + 10 + numPlayers));
}
uint256 gasStart200 = gasleft();
puppyRaffle.enterRaffle{value: entranceFee * numPlayers}(players200);
uint256 gasUsed200 = gasStart200 - gasleft();
// Gas ratio: ~6.5M vs ~19M = 2.9x (quadratic growth confirmed)
assertGt(gasUsed200, gasUsed100 * 2, "Gas should scale quadratically");
}
// forge test --match-test testExploit_DoS_GasEscalation -vvv
// Result: PASS — Gas scales quadratically, exceeds block limit at ~500 players

Expected outcome: Gas cost for enterRaffle() grows quadratically, eventually exceeding the block gas limit (~500 players), making the raffle permanently unusable for new entrants.

Recommended Mitigation

Replace the O(n^2) nested loop with a mapping(address => uint256) for O(1) duplicate detection:

mapping(address => uint256) public addressToRaffleId;
uint256 public raffleId = 0;
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
for (uint256 i = 0; i < newPlayers.length; i++) {
require(addressToRaffleId[newPlayers[i]] != raffleId, "PuppyRaffle: Duplicate player");
addressToRaffleId[newPlayers[i]] = raffleId;
players.push(newPlayers[i]);
}
emit RaffleEnter(newPlayers);
}
// In selectWinner():
raffleId++; // Invalidates all mappings for next round
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 8 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] `PuppyRaffle: enterRaffle` Use of gas extensive duplicate check leads to Denial of Service, making subsequent participants to spend much more gas than prev ones to enter

## Description `enterRaffle` function uses gas inefficient duplicate check that causes leads to Denial of Service, making subsequent participants to spend much more gas than previous users to enter. ## Vulnerability Details In the `enterRaffle` function, to check duplicates, it loops through the `players` array. As the `player` array grows, it will make more checks, which leads the later user to pay more gas than the earlier one. More users in the Raffle, more checks a user have to make leads to pay more gas. ## Impact As the arrays grows significantly over time, it will make the function unusable due to block gas limit. This is not a fair approach and lead to bad user experience. ## POC In existing test suit, add this test to see the difference b/w gas for users. once added run `forge test --match-test testEnterRaffleIsGasInefficient -vvvvv` in terminal. you will be able to see logs in terminal. ```solidity function testEnterRaffleIsGasInefficient() public { vm.startPrank(owner); vm.txGasPrice(1); /// First we enter 100 participants uint256 firstBatch = 100; address[] memory firstBatchPlayers = new address[](firstBatch); for(uint256 i = 0; i < firstBatchPlayers; i++) { firstBatch[i] = address(i); } uint256 gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * firstBatch}(firstBatchPlayers); uint256 gasEnd = gasleft(); uint256 gasUsedForFirstBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the first 100 partipants is:", gasUsedForFirstBatch); /// Now we enter 100 more participants uint256 secondBatch = 200; address[] memory secondBatchPlayers = new address[](secondBatch); for(uint256 i = 100; i < secondBatchPlayers; i++) { secondBatch[i] = address(i); } gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * secondBatch}(secondBatchPlayers); gasEnd = gasleft(); uint256 gasUsedForSecondBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the next 100 participant is:", gasUsedForSecondBatch); vm.stopPrank(owner); } ``` ## Recommendations Here are some of recommendations, any one of that can be used to mitigate this risk. 1. User a mapping to check duplicates. For this approach you to declare a variable `uint256 raffleID`, that way each raffle will have unique id. Add a mapping from player address to raffle id to keep of users for particular round. ```diff + uint256 public raffleID; + mapping (address => uint256) public usersToRaffleId; . . function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); + usersToRaffleId[newPlayers[i]] = true; } // Check for duplicates + for (uint256 i = 0; i < newPlayers.length; i++){ + require(usersToRaffleId[i] != raffleID, "PuppyRaffle: Already a participant"); - for (uint256 i = 0; i < players.length - 1; i++) { - for (uint256 j = i + 1; j < players.length; j++) { - require(players[i] != players[j], "PuppyRaffle: Duplicate player"); - } } emit RaffleEnter(newPlayers); } . . . function selectWinner() external { //Existing code + raffleID = raffleID + 1; } ``` 2. Allow duplicates participants, As technically you can't stop people participants more than once. As players can use new address to enter. ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); } emit RaffleEnter(newPlayers); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!