MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of input validation in `createContest` function

brene

Summary

The ContestManager smart contract lacks proper input validation in the createContest function, specifically regarding the lengths of the players and rewards arrays. Without validation, this can lead to mismatches between players and their corresponding rewards, causing incorrect contest setups and potentially resulting in incorrect payouts, user disputes, or contract malfunctions.

Vulnerability Details

The createContest function accepts two arrays as input: players (a list of contest participants) and rewards (the corresponding rewards for each participant).

function createContest(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards)
public
onlyOwner
returns (address)
{
// Create a new Pot contract
Pot pot = new Pot(players, rewards, token, totalRewards);
contests.push(address(pot));
contestToTotalRewards[address(pot)] = totalRewards;
return address(pot);
}

The function lacks a validation check to ensure that the players and rewards arrays are of the same length before proceeding with the creation of a contest

Impact

If the arrays are mismatched, the contest may be set up incorrectly, leading to players not receiving the rewards they are entitled to or rewards being misallocated.

Tools Used

Manual Review

Recommendation

Implement a validation check to ensure that the players and rewards arrays are of equal length before proceeding. If the lengths do not match, revert the transaction with a clear error message.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.