MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

No validation for duplicate players in `players` array

brene

Summary

The Pot contract includes logic to map players to rewards during its initialization. However, it lacks validation to ensure that each player in the players array is unique. This oversight can lead to incorrect reward allocations, as duplicate addresses may result in the overwriting of rewards.

Vulnerability Details

players and rewards arrays are used to map player addresses to their corresponding rewards in the constructor. Currently, there is no check to ensure that each address in the players array is unique. Without such a check, duplicate addresses can easily go unnoticed, leading to incorrect mappings in the playersToRewards mapping.

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

i_deployedAt = block.timestamp;

// i_token.transfer(address(this), i_totalRewards);

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i];

}

Impact

Duplicate entries in the players array can lead to incorrect reward allocations. The affected player might receive a reward amount that differs from the original intent, which can result in disputes or dissatisfaction among participants.
Malicious users could exploit this by intentionally submitting duplicate addresses to manipulate the reward distribution, potentially siphoning rewards meant for others.

Tools Used

Manual Review

Recommendation

Add a check within the constructor to ensure that each address in the players array is unique.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect handling of duplicate addresses

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.