Missing Address Zero Check in `getContestTotalRewards` Function”
Summary
No address zero check can be misleading
Vulnerability Details
The `getContestTotalRewards` function in the `ContestManager` contract is responsible for returning the total rewards allocated to a given contest. However, the function lacks a check to ensure that the provided contest address is not the zero address (`address(0)`). If an invalid or non-existent contest address is passed to this function, it will return 0. While this might be the intended behavior, it can be misleading because a return value of 0 could either indicate that no rewards have been allocated to the contest or that the contest address is invalid.
Impact
Misleading Results: The absence of an address zero check can lead to ambiguous outcomes. Users might interpret a return value of 0 as either a lack of allocated rewards or the use of an invalid contest address, leading to potential confusion or incorrect assumptions.
Security Implications: If the function is called with an invalid contest address, it could result in downstream logic relying on inaccurate data, possibly leading to incorrect or unexpected behaviors in other parts of the system.Tools Used
Proof of Concept
Add this test to TestMyCut.t.sol
Tools Used
Manual Review
Recommendations
Modify the function and add a zero address check
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.