MyCut

Summary

The createContest() function in the ContestManager contract does not include essential validation checks to ensure that the length of the players array matches the length of the rewards array, and that the sum of the rewards matches totalRewards. When the players array is shorter than the rewards array, excess rewards remain unclaimed, leading to locked funds and an inaccurate reward distribution.

Vulnerability Details

The createContest() function is responsible for creating a new Pot contract and distributing rewards to players. However, the function lacks critical validation checks:

1. players.length == rewards.length: The number of players should match the number of rewards. If the rewards array is longer than the players array, the excess rewards will not be assigned to any player and will remain unclaimed.

2. sum(rewards) == totalRewards: The sum of the individual rewards should match the totalRewards value. Without this check, either some funds will be locked in the contract, or there won’t be enough rewards for all players, causing discrepancies.

Without these validation checks, funds may remain unclaimed and locked in the contract, leading to a loss of tokens and potential misuse of resources.

Example Scenario:

1. Initial Setup:

   • The owner creates a new contest with 3 players but provides rewards for 5 players.

   • players = [Player1, Player2, Player3]

   • rewards = [100, 200, 300, 400, 500]

   • totalRewards = 1500

2. Outcome:

   • Players 4 and 5 will not be able to claim their rewards because there are no matching player entries for these rewards.

   • As a result, 900 tokens (400 + 500) remain locked in the contract and cannot be accessed or reclaimed, leading to a loss of funds.

3. Impact: The contract continues execution without an error, allowing players to claim rewards, but excess rewards remain unclaimed and locked in the contract, which could lead to a permanent loss of funds.

Impact

• Unclaimable Rewards: If there are more rewards than players, the extra rewards will not be claimed, and these funds remain locked in the contract, creating an unfair distribution.

• Locked Funds: Without proper validation, excess rewards may be left in the contract, becoming inaccessible. These locked funds can only be recovered through additional unsafe mechanisms or may remain indefinitely locked.

  
  Steps to Reproduce the Issue:

  1. Step 1: Deploy the ContestManager contract.

  2. Step 2: Call the createContest() function with mismatched player and reward array lengths or a total reward value that does not match the sum of the rewards.

  3. Expected Outcome: An error should occur, preventing the contest from being created.

  4. Actual Outcome: The contract allows the creation of the contest, but players may not be able to claim rewards or some funds may be locked.

Tools Used

Manual Review

Recommendations

Add validation checks in the createContest() function to ensure the length of the players and rewards arrays match, and that the sum of the rewards equals totalRewards.

Steps to Fix:

1. Check if players.length == rewards.length: Add a check to ensure that the number of players matches the number of rewards:

   require(players.length == rewards.length, "Players and rewards length mismatch");

2. Check if sum(rewards) == totalRewards: Calculate the sum of the rewards and compare it with totalRewards:

   uint256 totalRewardSum = 0;

   for (uint256 i = 0; i < rewards.length; i++) {

   totalRewardSum += rewards[i];

   }

   require(totalRewardSum == totalRewards, "Total rewards do not match the sum of rewards");