Submission Details
Severity:
No enforcement of players.length == rewards.length in Pot contract
Source
https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L22C5-L35C6
Details
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
// i_token.transfer(address(this), i_totalRewards);
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
}
There can be oversight where the owner mistakenly input more rewards in the rewards array than in the players array; implying that the rewards.length will be greater than players.length. This oversight can especially happen where there is a large number of data than expected. There is no significant effect of this as the variable rewards.length was not used in any section of the code. However, an external contract reading into this variable might use it wrongly.
Tool Used
Manual Review
Recommendation
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
++ require(players.length == rewards.length, "Players to Reward Length Mismatch");
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
// i_token.transfer(address(this), i_totalRewards);
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
}
Rewards breakdown
nSLOC
106This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.