Puppy Raffle Refund concern.

[GTK-ARJUN]

Hi,

I have reached Lesson 32: Recon II for the puppy raffle and it seems like the participant may not get a complete refund. Please find the requirements for entering the raffle from PuppyRaffle::enterRaffle. I am not sure if this is the right place to ask a question for the competition that has been concluded.

        require(msg.value == entranceFee * newPlayers.length, "PuppyRaffle: Must send enough to enter raffle");
        for (uint256 i = 0; i < newPlayers.length; i++) {
            players.push(newPlayers[i]);
        }

and the code for refunding PuppyRaffle::refund is as below:

        payable(msg.sender).sendValue(entranceFee);

impact

To enter the raffle, participants have to pay N times the price of the total participants, however, at the time of refunding, he will get just the entranceFee and not the complete refund.

Mitigation

and the line for refunding PuppyRaffle::refund should be something like the below:

        payable(msg.sender).sendValue(entranceFee*newPlayers.length);

[akhilmanga]

100% true. It can be a high finding.

[PatrickAlphaC]

Actually, this isn't quite true.

I'll leave you to figure out why :)

[akhilmanga]

Oh sorry. I think, i got it. refund function will only refunds the entranceFee to the player who calls the function. Here, we are refunding the entranceFee using playerIndex . Is this correct? @PatrickAlphaC

[PatrickAlphaC]

You got it!

[EngrPips]

@GTK-ARJUN why your findings would be wrong and invalid is because actually the protocol doesn't expect a single person to enter with a multiple address meaning a single person can only enter once but you can enter with an array that would contain addresses of let's say your friends. And if we reason the protocol strictness towards duplicate check we would clearly see that.

so if you enter the game with an array of let's say 5 addresses the protocol assume only one of those addresses is actually yours and the remaining 4 addresses are of your friends, basically that means you guys would have settled each other off-chain on the entrance fee and whenever anyone of those friends you entered for or you yourself wanted to get a refund, you only get refunded a single entrance fee because you was expected to pay a single entrance.

That's why this function below is very essential in the protocol so you can get the index of your address

function getActivePlayerIndex(address player) external view returns (uint256) {
        for (uint256 i = 0; i < players.length; i++) {
            if (players[i] == player) {
                return i;
            }
        }
        return 0;
    }

And that is why you need to provide only your index to get back a refund as shown in protocol refund function below

function refund(uint256 playerIndex) public {
        address playerAddress = players[playerIndex];
        require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
        require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

        payable(msg.sender).sendValue(entranceFee);

        players[playerIndex] = address(0);
        emit RaffleRefunded(playerAddress);
    }

I hope this clarify things @GTK-ARJUN @akhilmanga , @PatrickAlphaC This is very subjected to correction incase i get something wrong.