Summary
In constructor of Pot.sol
, there is no checking length for array of players and array of rewards can lead either revert
array out of bound or last array of rewards
not used.
Vulnerability Details
In constructor of Pot.sol
, there is following code below :
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
}
There is no checking length for array of players and array of rewards. Sometimes, maybe user
has mistake when insert a value of players or value of rewards.
For example :
address[] players = [address("p1"), address("p2")];
uint256[] rewards = [10, 30, 40];
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
address[] players = [address("p1"), address("p2")];
uint256[] rewards = [10];
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
Impact
The protocol will either revert because of array out of bound or rewards will stay on protocol forever.
Tools Used
Manual Review ~ Foundry
Recommendations
Add checking for length of players and rewards to ensure they are exactly same :
constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
// i_token.transfer(address(this), i_totalRewards);
+ require(players.length == rewards.length, "Players and Rewards must at the same length");
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}
}