MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Input Validation in Pot Constructor

tm2

Summary

Pot::constructor() lacks validation for its input parameters. The players, rewards, and token arguments require validation because their corresponding variables do not have setter functions.

Vulnerability Details

  • The token argument is missing validation against the 0x0 address.

  • The players and rewards arrays are missing a length check against 0 value. Additionally, players array should be checked for the 0x0 address to ensure addresses can claim the rewards.

  • The players and rewards arrays should have validation where each of the arrays have the same lenght

  • The totalRewards should be cheked for the sum of the cumulative rewards in the rewards array

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
i_players = players;
i_rewards = rewards;
i_token = token;
....
}

Impact

Mistakes during initialization of Pot can render the instancce unusable.

Tools Used

Manual review

Recommendations

It is recommended to implement comprehensive validation checks for the players, rewards, and token parameters within the Vesting::constructor() to ensure that the contract works correctly.

Updates

Lead Judging Commences

equious Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Appeal created

tm2 Submitter
11 months ago
equious Lead Judge
11 months ago
tm2 Submitter
11 months ago
equious Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.