MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect Initialization of Ownable Contract

Dec3mber

Summary

The Pot contract incorrectly initializes the Ownable parent contract in the inheritance declaration instead of the constructor, which is a wrong statement.

Vulnerability Details

In the Pot contract, the Ownable parent contract is incorrectly initialized in the inheritance declaration:

contract Pot is Ownable(msg.sender) {}

This syntax is not supported in Solidity and does not correctly initialize the Ownable contract. Although in this specific case, since the Pot contract is always deployed by the ContestManager contract, the msg.sender at deployment will indeed be the ContestManager, meaning that the ContestManager becomes the owner of the Pot contract. Thus, the core functionality remains intact.

Impact

• Confusion and Misinterpretation: The incorrect syntax could lead to confusion and incorrect assumptions about the contract’s ownership and security model.

• Potential Introduction of Errors: Future changes or refactoring might introduce errors if developers assume this pattern is valid and reuse it incorrectly.

Tools Used

Manual Review

Recommendations

The Ownable contract should be correctly initialized in the constructor of the Pot contract. Even though the msg.sender in this context is correctly set to the ContestManager, the proper syntax ensures clarity and maintains code quality:

- contract Pot is Ownable(msg.sender) {

+ contract Pot is Ownable {

- constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

+ constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) Ownable() {

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

i_deployedAt = block.timestamp;

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i];

}

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

Dec3mber Submitter

about 1 year ago

equious Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.