MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Validation in Constructor

bbash

Summary

The Pot smart contract’s constructor fails to validate that the lengths of the players and rewards arrays are equal. This missing validation can lead to incorrect mappings, resulting in potential vulnerabilities such as misallocation of rewards, incorrect assignment of players' rewards, and other unintended behaviors.

Vulnerability Details

Issue lies in this:

https://github.com/Cyfrin/2024-08-MyCut/blob/main/src/Pot.sol#L22-L35

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {

i_players = players;

i_rewards = rewards;

i_token = token;

i_totalRewards = totalRewards;

remainingRewards = totalRewards;

i_deployedAt = block.timestamp;

// i_token.transfer(address(this), i_totalRewards);

for (uint256 i = 0; i < i_players.length; i++) {

playersToRewards[i_players[i]] = i_rewards[i];

}

The constructor directly maps players to rewards without validating that the two arrays have the same length. If the arrays have mismatched lengths, this could lead to incorrect mappings or even runtime errors when accessing elements that do not exist. The constructor should validate that both arrays have the same length before proceeding with the mapping. This can be achieved by adding a require statement at the beginning of the constructor.

Impact

Mismatched array lengths could result in players not receiving their designated rewards or receiving incorrect amounts, leading to unfair distribution. Accessing elements of the rewards array using an index from the players array could lead to runtime errors, particularly when the lengths are mismatched.

Tools Used

Manual Review

Recommendations

Add this line in constructor:

require(players.length == rewards.length, "Players and rewards length mismatch");

By adding this require statement, the contract ensures that it is only deployed with valid input, preventing any potential issues related to incorrect mappings or runtime errors. This change enhances the security and reliability of the contract.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.