Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Refund Accounting Breaks Settlement

cryptocrucible

Root + Description

### Root + Impact

**Normal behavior:** Each paid entrant contributes `entranceFee` to the contract. After the raffle duration, `selectWinner()` should pay 80% of collected funds to the winner and accrue 20% as fees, then clear the round.

**Issue:** `refund()` zeroes a player's slot but does not shrink `players` or track an active-player count. `selectWinner()` still computes `totalAmountCollected = players.length * entranceFee`, overstating liabilities after any refund. The winner payout then exceeds the contract balance and the transaction reverts, bricking settlement for that round.

// @> refund() leaves a hole in the array

players[playerIndex] = address(0);

// @> selectWinner() still prices the full array length

uint256 totalAmountCollected = players.length * entranceFee;

uint256 prizePool = (totalAmountCollected * 80) / 100;

(bool success,) = winner.call{value: prizePool}("");

require(success, "PuppyRaffle: Failed to send prize pool to winner");

**Likelihood:**

- Any round where at least one entrant calls `refund()` before `selectWinner()` triggers the mismatch — a documented, user-facing flow.

- A single refund in a minimally valid 4-player round creates a 1 ETH shortfall on a 1 ETH fee configuration (proportional for other fee sizes).

**Impact:**

- `selectWinner()` reverts permanently for that round until manual intervention or migration.

- ETH from remaining active players can remain locked in the contract.

- Fee accrual and NFT minting for that round never complete.

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

pragma experimental ABIEncoderV2;

import {Test} from "forge-std/Test.sol";

import {PuppyRaffle} from "../src/PuppyRaffle.sol";

/// @notice PoC for C-01: selectWinner() prices the round using players.length after refunds left address(0) holes.

contract C_01_RefundAccountingBreaksSettlement is Test {

function test_poc() public {

PuppyRaffle raffle = new PuppyRaffle(1 ether, address(99), 1 days);

address[] memory players = new address[](4);

players[0] = address(1);

players[1] = address(2);

players[2] = address(3);

players[3] = address(4);

raffle.enterRaffle{value: 4 ether}(players);

vm.prank(players[2]);

raffle.refund(2);

vm.warp(block.timestamp + 1 days + 1);

vm.roll(block.number + 1);

vm.expectRevert("PuppyRaffle: Failed to send prize pool to winner");

raffle.selectWinner();

}

Recommended Mitigation

## Recommended Mitigation

- Track `activePlayerCount` and decrement on refund, or remove entries with swap-and-pop.

- Base `totalAmountCollected` on `activePlayerCount * entranceFee`, not `players.length`.

- Reject `selectWinner()` unless `activePlayerCount >= 4`.

```diff

function refund(uint256 playerIndex) public {

...

- players[playerIndex] = address(0);

+ players[playerIndex] = players[players.length - 1];

+ players.pop();

+ activePlayerCount--;

}

function selectWinner() external {

- require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

- uint256 totalAmountCollected = players.length * entranceFee;

+ require(activePlayerCount >= 4, "PuppyRaffle: Need at least 4 active players");

+ uint256 totalAmountCollected = activePlayerCount * entranceFee;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-04] `PuppyRaffle::refund` replaces an index with address(0) which can cause the function `PuppyRaffle::selectWinner` to always revert

## Description `PuppyRaffle::refund` is supposed to refund a player and remove him from the current players. But instead, it replaces his index value with address(0) which is considered a valid value by solidity. This can cause a lot issues because the players array length is unchanged and address(0) is now considered a player. ## Vulnerability Details ```javascript players[playerIndex] = address(0); @> uint256 totalAmountCollected = players.length * entranceFee; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); _safeMint(winner, tokenId); ``` If a player refunds his position, the function `PuppyRaffle::selectWinner` will always revert. Because more than likely the following call will not work because the `prizePool` is based on a amount calculated by considering that that no player has refunded his position and exit the lottery. And it will try to send more tokens that what the contract has : ```javascript uint256 totalAmountCollected = players.length * entranceFee; uint256 prizePool = (totalAmountCollected * 80) / 100; (bool success,) = winner.call{value: prizePool}(""); require(success, "PuppyRaffle: Failed to send prize pool to winner"); ``` However, even if this calls passes for some reason (maby there are more native tokens that what the players have sent or because of the 80% ...). The call will thankfully still fail because of the following line is minting to the zero address is not allowed. ```javascript _safeMint(winner, tokenId); ``` ## Impact The lottery is stoped, any call to the function `PuppyRaffle::selectWinner`will revert. There is no actual loss of funds for users as they can always refund and get their tokens back. However, the protocol is shut down and will lose all it's customers. A core functionality is exposed. Impact is high ### Proof of concept To execute this test : forge test --mt testWinnerSelectionRevertsAfterExit -vvvv ```javascript function testWinnerSelectionRevertsAfterExit() public playersEntered { vm.warp(block.timestamp + duration + 1); vm.roll(block.number + 1); // There are four winners. Winner is last slot vm.prank(playerFour); puppyRaffle.refund(3); // reverts because out of Funds vm.expectRevert(); puppyRaffle.selectWinner(); vm.deal(address(puppyRaffle), 10 ether); vm.expectRevert("ERC721: mint to the zero address"); puppyRaffle.selectWinner(); } ``` ## Recommendations Delete the player index that has refunded. ```diff - players[playerIndex] = address(0); + players[playerIndex] = players[players.length - 1]; + players.pop() ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!