MyCut

Summary

The specific issue identified is that the createContest function does not validate whether the length of the players array matches the length of the rewards array. This mismatch can lead to incorrect reward distributions or potential reverts during execution.

Vulnerability Details

The createContest function initializes a new contest with the following parameters:

• players: An array containing the addresses of participants.

• rewards: An array containing the corresponding reward amounts for each participant.

• token: The ERC-20 token used for rewards.

• totalRewards: The total amount of tokens allocated for the contest.

The function does not currently validate that the length of the players array is equal to the length of the rewards array. If these arrays have differing lengths, the function might behave unexpectedly:

1. Insufficient Rewards: If the rewards array is shorter than the players array, some players may not receive any rewards, which could lead to disputes.

2. Excessive Rewards: If the rewards array is longer than the players array, extra rewards could be unallocated, potentially causing the function to revert or leading to an inconsistent state.

Impact

Incorrect Distribution: The mismatch between the arrays can lead to incorrect or incomplete distribution of rewards, undermining the fairness and functionality of the protocol.

Transaction Reverts: Inconsistencies between the array lengths can cause the contract to revert during execution, leading to a poor user experience.

Tools Used

Manual Review

Recommendations

Length Validation:

Implement a check in the createContest function to ensure that the players and rewards arrays have the same length before proceeding with the contest creation.