Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Spamming events when user enter raffles with empty array

0xren

`PuppyRaffle::enterRaffle` allows enter with empy array, this can be used for spamming false positive events and prejudicate other contracts that reads this ones.

Description

The function PuppyRaffle::enterRaffle can called with a empty array of newPlayers, this will ignore these both loops and call the emit for RaffleEnter with 0 players.

function enterRaffle(address[] memory newPlayers) public payable {

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]);

}

// written unnecessary? users can make another wallet and enter anyway... save gas removing this validation

for (uint256 i = 0; i < players.length - 1; i++) {

for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j], "PuppyRaffle: Duplicate player");

}

@> emit RaffleEnter(newPlayers);

}

Risk

Impact:

Pollution from emitted events can make it difficult other contracts that reads PuppleRaffle events.

Recommended Mitigation

Consider add a minimum numbers of players for PuppyRaffle::enterRaffle or revert this function for empty arrays.

function enterRaffle(address[] memory newPlayers) public payable {

@> require(newPlayers.lenght > 0, "Empty players not allowed.")

require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");

for (uint256 i = 0; i < newPlayers.length; i++) {

players.push(newPlayers[i]);

}

// written unnecessary? users can make another wallet and enter anyway... save gas removing this validation

for (uint256 i = 0; i < players.length - 1; i++) {

for (uint256 j = i + 1; j < players.length; j++) {

require(players[i] != players[j], "PuppyRaffle: Duplicate player");

}

emit RaffleEnter(newPlayers);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 4 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!