Skip to content

allow edits for inactive prizes #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yogurtandjam merged 1 commit into from
Oct 31, 2025
Merged

allow edits for inactive prizes #242

yogurtandjam merged 1 commit into from
Oct 31, 2025

Conversation

@yogurtandjam
Copy link
Contributor

@yogurtandjam yogurtandjam commented Oct 31, 2025

prizes are immediately marked as inactive and thus uneditable once all users are drawn but we often have to make updates such, such as tally form id

Copilot AI review requested due to automatic review settings October 31, 2025 17:03
@octane-security-app
Copy link

octane-security-app bot commented Oct 31, 2025

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

  • Raffle.sol: Removed prizeIsActive modifier, allowing prize updates regardless of active status.

🔗 Commit Hash: 413f3b6

Copilot AI reviewed Oct 31, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the prizeIsActive modifier from the updatePrize function, enabling administrators to edit prize details (name, value, quantity, and form ID) even after all winners have been drawn and the prize has been marked as inactive.

Key Changes:

  • Removed the prizeIsActive modifier restriction from the updatePrize function

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

plume/src/spin/Raffle.sol
uint256 quantity,
string calldata formId
) external onlyRole(ADMIN_ROLE) prizeIsActive(prizeId) {
) external onlyRole(ADMIN_ROLE) {
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the prizeIsActive check allows modification of prize details after the prize lifecycle has completed. This could lead to data integrity issues if prize information (name, value, quantity) is changed after winners have been determined, potentially creating inconsistencies in historical records or audit trails. Consider implementing a more granular permission system that allows editing only specific fields like formId for inactive prizes while restricting changes to core prize attributes.

Copilot uses AI. Check for mistakes.
plume/src/spin/Raffle.sol
string calldata formId
) external onlyRole(ADMIN_ROLE) prizeIsActive(prizeId) {
) external onlyRole(ADMIN_ROLE) {
// Update prize details without affecting tickets or active status
Copy link

Copilot AI Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment states 'without affecting tickets or active status' but this is now misleading since the function can now modify inactive prizes. Update the comment to clarify that this function can edit both active and inactive prizes, or specify which fields should be edited after a prize becomes inactive.

Suggested change
// Update prize details without affecting tickets or active status
// Update prize details (name, description, value, quantity, formId) for both active and inactive prizes without affecting tickets or the active status

Copilot uses AI. Check for mistakes.
@ungaro ungaro self-assigned this Oct 31, 2025
@ungaro
Copy link
Member

ungaro commented Oct 31, 2025

lgtm.

@ungaro ungaro closed this Oct 31, 2025
@ungaro ungaro reopened this Oct 31, 2025
@yogurtandjam yogurtandjam merged commit 707aa15 into main Oct 31, 2025
3 checks passed
@yogurtandjam yogurtandjam deleted the jerms/allow-edits-for-inactive-prizes branch October 31, 2025 17:08
@octane-security-app
Copy link

octane-security-app bot commented Oct 31, 2025

Overview

Vulnerabilities found: 7                                                                                
Severity breakdown: 3 Medium, 4 Low
Warnings found: 2                                                                                

Detailed findings

plume/src/spin/Raffle.sol

  • Unbounded prizeIds growth and O(N) removal in Raffle causes availability degradation. See more
  • Unbounded iteration in Raffle.sol getValidWinnersCount causes DoS of winner selection. See more
  • Unbounded storage loop in Raffle.getValidWinnersCount used in transactional paths causes DoS of winner selection. See more
  • O(n) scanning of prizeWinners via getValidWinnersCount in Raffle winner selection causes gas-driven DoS of drawing winners. See more
  • No sales closure/snapshot before VRF in Raffle allows last-second entries causing unfair odds dilution. See more
  • Incomplete VRF request cancellation in Raffle.sol causes unintended winner selection after cancellation. See more
  • Incomplete cancellation of VRF requests in Raffle allows stale callbacks to select winners and block intended re-draws. See more

Warnings

plume/src/spin/Raffle.sol

  • O(N) scan of prizeWinners in Raffle winner selection functions causes DoS of prize drawing. See more
  • Unbounded iteration in Raffle.getValidWinnersCount causes gas-based DoS of winner selection. See more

🔗 Commit Hash: 413f3b6
🛡️ Octane Dashboard: All vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@ungaro ungaro

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yogurtandjam @ungaro