Flaw in `getActivePlayerIndex` Function
Vulnerability Details
The getActivePlayerIndex function has a flaw in its implementation, leading to potential misinformation and mismanagement of player data. The function is intended to return the index of a player in the players array. However, if a player is not active or not found in the array, it returns 0.
Impact
Since arrays in Solidity are zero-indexed, the function returns 0 both when the player is the first in the array and when the player is not found. This makes it impossible to distinguish between a player located at index 0 and a non-existent player. This ambiguity can lead to confusion and errors in interactions with the contract, especially in contexts where determining the exact position of a player is crucial.
Recommendations
Distinct Return Value for Non-Existent Players: Modify the function to return a distinct value (such as a special constant or the length of the array) when a player is not found. This value should be clearly documented and must be different from any valid index.
Documentation and Error Handling: Update the documentation to clarify the return values and their meanings. Additionally, consider implementing error handling or revert messages to inform users when a player is not found.
Use of Mappings for Efficiency: Consider using a mapping to store player data, which can provide a more efficient and reliable way to track player states and indices, especially if the
playersarray becomes large.
Lead Judging Commences
getActivePlayerIndex can say a player is both entered at slot 0 and inactive
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.