MyCut
First Flight #23
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Overwriting Rewards Instead of Adding Due to Lack of Duplicate Check in Players Array

a1111198

Summary:

High Severity: The contract does not check for duplicate entries in the players array during initialization. If a player appears multiple times with different rewards, the current implementation overwrites the previous reward value in the playersToRewards mapping instead of adding the rewards together. This results in incorrect reward allocation, where the player could receive either less or more than their rightful total rewards, leading to financial discrepancies.

Vulnerability Details:

In the constructor of the Pot contract, player rewards are initialized using a loop that assigns rewards from the i_rewards array to the players in the i_players array:

for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] = i_rewards[i];
}

Since there is no check for duplicate entries in the i_players array, a player listed multiple times with different rewards will have their reward overwritten in the playersToRewards mapping. Instead of adding the rewards for duplicate entries, the mapping only retains the last specified reward. This leads to an incorrect total reward for that player, as earlier rewards are overridden.

Impact:

The impact of this vulnerability includes:

  • Incorrect Reward Allocation: A player appearing multiple times in the i_players array may end up receiving either more or less than their total calculated reward, depending on the order of entries.

  • Financial Discrepancies: This could lead to significant financial discrepancies and dissatisfaction among players who expect to receive their total allocated rewards.

  • Loss of Trust: The integrity of the reward distribution process is compromised, potentially leading to a loss of trust in the contract's fairness.

Tools Used:

  • Manual Review

Recommendations:

To efficiently resolve this issue, modify the reward assignment in the constructor to accumulate rewards for each player instead of overwriting them. This ensures that players receive the total sum of all their rewards, even if they appear multiple times in the i_players array.

Updated Constructor with Accumulation Logic:

constructor(address[] memory players, uint256[] memory rewards, IERC20 token, uint256 totalRewards) {
require(players.length > 0, "Players array must not be empty");
require(players.length == rewards.length, "Players and rewards arrays must be of equal length");
i_players = players;
i_rewards = rewards;
i_token = token;
i_totalRewards = totalRewards;
remainingRewards = totalRewards;
i_deployedAt = block.timestamp;
// Accumulate rewards for players to handle duplicates efficiently
for (uint256 i = 0; i < i_players.length; i++) {
playersToRewards[i_players[i]] += i_rewards[i];
}
}

By changing playersToRewards[i_players[i]] = i_rewards[i]; to playersToRewards[i_players[i]] += i_rewards[i];, the contract correctly accumulates the total rewards for each player, ensuring accurate reward distribution without the need for additional gas-consuming checks for duplicates.

This approach is more gas-efficient than adding extra checks or requiring unique entries and still resolves the issue effectively.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

incorrect handling of duplicate addresses

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.