Section 4 Puppy Raffle: Reentrancy attack failing beyond a certain threshold size of players

[RichuAK]

I wanted to reproduce the reentrancy attack and play around with it, so I wrote my own contract, which can be found here

The ReEntrancy works till the number of players is 510. From 511 onwards it throws an error. I'm trying to understand why that's the case.

Here's PuppyRaffleTest.t.sol::testHackRaffle() :

// test to check ReEntrancy. Works, sort of.
    function testHackRaffle() public {
        // players entering the raffle
        uint256 playersNum = 510;
        address[] memory players = new address[](playersNum);
        for (uint256 i = 0; i < playersNum; i++) {
            players[i] = address(i);
        }
        puppyRaffle.enterRaffle{value: entranceFee * playersNum}(players);
        console.log("Total number of players before Reentrancy: ", players.length);
        // ReEntrancy Begins
        uint256 startingRaffleBalance = address(puppyRaffle).balance;
        console.log("Raffle contract balance before Reentrancy: ", startingRaffleBalance);
        HackRaffle hackRaffle = new HackRaffle{value: entranceFee}(address(puppyRaffle));
        hackRaffle.enter();
        hackRaffle.hackRefund();
        uint256 endingRaffleBalance = address(puppyRaffle).balance;
        console.log("Raffle contract balance after Reentrancy: ", endingRaffleBalance);
        // assert(address(puppyRaffle).balance < entranceFee);
        assert(endingRaffleBalance == 0);
        // assert((startingRaffleBalance - endingRaffleBalance) > entranceFee);
    }

Here are the test results:

Would love any insight into why there's a threshold, and why the number 510.

Thank you!

[TilakMaddy]

The below line in your contract prevents transactions above a certain gas limit.

        payable(msg.sender).sendValue(entranceFee);

[RichuAK]

But this is part of the original PuppyRaffle.sol::refund(), isn't it?

function refund(uint256 playerIndex) public {
        address playerAddress = players[playerIndex];
        require(playerAddress == msg.sender, "PuppyRaffle: Only the player can refund");
        require(playerAddress != address(0), "PuppyRaffle: Player already refunded, or is not active");

        payable(msg.sender).sendValue(entranceFee);

        players[playerIndex] = address(0);
        emit RaffleRefunded(playerAddress);
    }

If it's a gas issue, how do I drain all the funds in the contract beyond those number of players?

I tried adding adding a much higher gas_limit in foundry.toml :

[invariant]
gas_limit = "18446744073709551615" # u64::MAX

[TilakMaddy]

no, i meant that sendValue itself won't send the money if the gas price is too high (even if gas is available)

[RichuAK]

Oh, gotcha.

So in a way, this Reentrancy issue is only a partial reentrancy? The protocol is vulnerable, but won't be susceptible to a reentrancy attack beyond a certain number of players? From a security perspective, I mean.