Summary

The Pot contract's constructor does not validate the uniqueness of player addresses when creating a new instance. This creates a risk where a player can appear multiple times in the players array, leading to incorrect reward allocation. In its current state, if duplicate player addresses are present, the reward is overwritten instead of incremented, which could cause distribution inconsistencies.

Vulnerability Details

The constructor of the Pot contract takes two arrays, players and rewards, to assign specific reward amounts to each player. However, no check is implemented to ensure that the players array does not contain duplicate addresses. When duplicate player addresses are present, only the last occurrence in the array will have its reward value assigned, as earlier values will be overwritten in the playersToRewards mapping.

Impact

Duplicate addresses will either cause rewards to be overwritten or inconsistently distributed. This leads to an incorrect allocation of funds and undermines the fairness of the distribution mechanism.

Tools Used

Manual Code Review

Recommendations

Modify the logic to increment the reward for player addresses rather than overwriting it. This ensures that if a player appears multiple times in the players array, they receive the correct cumulative reward.