The Pot
contract's constructor does not validate the uniqueness of player addresses when creating a new instance. This creates a risk where a player can appear multiple times in the players
array, leading to incorrect reward allocation. In its current state, if duplicate player addresses are present, the reward is overwritten instead of incremented, which could cause distribution inconsistencies.
The constructor of the Pot
contract takes two arrays, players
and rewards
, to assign specific reward amounts to each player. However, no check is implemented to ensure that the players
array does not contain duplicate addresses. When duplicate player addresses are present, only the last occurrence in the array will have its reward value assigned, as earlier values will be overwritten in the playersToRewards
mapping.
Duplicate addresses will either cause rewards to be overwritten or inconsistently distributed. This leads to an incorrect allocation of funds and undermines the fairness of the distribution mechanism.
Manual Code Review
Modify the logic to increment the reward for player addresses rather than overwriting it. This ensures that if a player appears multiple times in the players
array, they receive the correct cumulative reward.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.