Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`enterRaffle()` Duplicate Check Has O(n²) Gas Complexity — DoS via Array Growth Locks New Entrants

h3xu

enterRaffle() Duplicate Check Has O(n²) Gas Complexity — DoS via Array Growth Locks New Entrants

Description

PuppyRaffle.enterRaffle() validates that no duplicate addresses are entering the raffle by using a nested loop over the entire players array. Every call iterates over all existing players to find duplicates, making the gas cost grow quadratically (O(n²)) as the player count increases.

An attacker who has accumulated a large number of player entries (across multiple honest rounds or via griefing) can make players[] so large that any future call to enterRaffle() exceeds the block gas limit and reverts unconditionally, permanently blocking new entrants.

function enterRaffle(address[] memory newPlayers) public payable {
// ...
@> for (uint256 i = 0; i < players.length - 1; i++) {
@> for (uint256 j = i + 1; j < players.length; j++) {
@> require(players[i] != players[j], "PuppyRaffle: Duplicate player");
}
}
// ...
}

At players.length = 100, the inner loop executes approximately 4,950 iterations. At Ethereum's 30M gas limit, with ~2,100 gas per SLOAD, this maxes out at roughly ~200 players before new entries become impossible.

Risk

Likelihood: High

  • A motivated attacker can enter with many unique addresses across multiple transactions, building up the players array cheaply.

  • After selectWinner() runs and clears the array, the attack must be repeated — but within a single raffle round it is effective.

  • No cost-prohibitive barrier exists: each attacker entry costs only entranceFee and can be reclaimed via refund().

Impact: High

  • Legitimate users cannot enter the raffle; the protocol's core functionality is completely denied.

  • The attacker can also front-run any attempt to call selectWinner() (which resets players) to maintain the DoS indefinitely.

Severity: High

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
interface IPuppyRaffle {
function enterRaffle(address[] memory newPlayers) external payable;
function refund(uint256 playerIndex) external;
function entranceFee() external view returns (uint256);
}
contract DosRaffle {
IPuppyRaffle public target;
constructor(address _target) { target = IPuppyRaffle(_target); }
// Fill the array with N distinct addresses derived from attacker address
function fillArray(uint256 n) external payable {
uint256 fee = target.entranceFee();
require(msg.value == fee * n, "wrong fee");
address[] memory players = new address[](1);
for (uint256 i = 0; i < n; i++) {
// unique addresses via CREATE2-style padding
players[0] = address(uint160(uint256(keccak256(abi.encode(address(this), i)))));
target.enterRaffle{value: fee}(players);
}
}
// Subsequent enterRaffle() calls by victims will revert with OOG
}

Expected outcome: After fillArray(100), any call to enterRaffle() with new addresses that would land in positions ≥100 hits block gas limit and reverts.

Recommended Mitigation

Replace the O(n²) duplicate check with an O(1) mapping:

+ mapping(address => bool) private s_hasEntered;
function enterRaffle(address[] memory newPlayers) public payable {
require(msg.value == entranceFee * newPlayers.length, "...");
for (uint256 i = 0; i < newPlayers.length; i++) {
+ require(!s_hasEntered[newPlayers[i]], "PuppyRaffle: Duplicate player");
+ s_hasEntered[newPlayers[i]] = true;
players.push(newPlayers[i]);
}
- // Remove the nested O(n²) loop entirely
}

Clear the mapping in selectWinner() at the same time players is deleted. This reduces duplicate detection to O(n) in the number of new entrants only.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] `PuppyRaffle: enterRaffle` Use of gas extensive duplicate check leads to Denial of Service, making subsequent participants to spend much more gas than prev ones to enter

## Description `enterRaffle` function uses gas inefficient duplicate check that causes leads to Denial of Service, making subsequent participants to spend much more gas than previous users to enter. ## Vulnerability Details In the `enterRaffle` function, to check duplicates, it loops through the `players` array. As the `player` array grows, it will make more checks, which leads the later user to pay more gas than the earlier one. More users in the Raffle, more checks a user have to make leads to pay more gas. ## Impact As the arrays grows significantly over time, it will make the function unusable due to block gas limit. This is not a fair approach and lead to bad user experience. ## POC In existing test suit, add this test to see the difference b/w gas for users. once added run `forge test --match-test testEnterRaffleIsGasInefficient -vvvvv` in terminal. you will be able to see logs in terminal. ```solidity function testEnterRaffleIsGasInefficient() public { vm.startPrank(owner); vm.txGasPrice(1); /// First we enter 100 participants uint256 firstBatch = 100; address[] memory firstBatchPlayers = new address[](firstBatch); for(uint256 i = 0; i < firstBatchPlayers; i++) { firstBatch[i] = address(i); } uint256 gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * firstBatch}(firstBatchPlayers); uint256 gasEnd = gasleft(); uint256 gasUsedForFirstBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the first 100 partipants is:", gasUsedForFirstBatch); /// Now we enter 100 more participants uint256 secondBatch = 200; address[] memory secondBatchPlayers = new address[](secondBatch); for(uint256 i = 100; i < secondBatchPlayers; i++) { secondBatch[i] = address(i); } gasStart = gasleft(); puppyRaffle.enterRaffle{value: entranceFee * secondBatch}(secondBatchPlayers); gasEnd = gasleft(); uint256 gasUsedForSecondBatch = (gasStart - gasEnd) * txPrice; console.log("Gas cost of the next 100 participant is:", gasUsedForSecondBatch); vm.stopPrank(owner); } ``` ## Recommendations Here are some of recommendations, any one of that can be used to mitigate this risk. 1. User a mapping to check duplicates. For this approach you to declare a variable `uint256 raffleID`, that way each raffle will have unique id. Add a mapping from player address to raffle id to keep of users for particular round. ```diff + uint256 public raffleID; + mapping (address => uint256) public usersToRaffleId; . . function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); + usersToRaffleId[newPlayers[i]] = true; } // Check for duplicates + for (uint256 i = 0; i < newPlayers.length; i++){ + require(usersToRaffleId[i] != raffleID, "PuppyRaffle: Already a participant"); - for (uint256 i = 0; i < players.length - 1; i++) { - for (uint256 j = i + 1; j < players.length; j++) { - require(players[i] != players[j], "PuppyRaffle: Duplicate player"); - } } emit RaffleEnter(newPlayers); } . . . function selectWinner() external { //Existing code + raffleID = raffleID + 1; } ``` 2. Allow duplicates participants, As technically you can't stop people participants more than once. As players can use new address to enter. ```solidity function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle"); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); } emit RaffleEnter(newPlayers); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!