In the claimSingleReward()
function, the index bound check is incorrect, which can lead to an out-of-bounds vulnerability. The issue stems from the following line:
This condition is incorrect because it allows the index _index
to be equal to rewardsOwned[msg.sender].length
. Since Solidity arrays are zero-indexed, valid indices for an array of length n
range from 0
to n-1
. If _index
is equal to rewardsOwned[msg.sender].length
, it points to an index that is out-of-bounds, which could cause unexpected behavior.
For example:
If rewardsOwned[msg.sender]
has a length of 3, valid indices should be 0
, 1
, and 2
. However, with the current check, _index = 3
would be allowed, which is out of bounds and could result in accessing invalid memory or leading to a runtime error.
Out-of-Bounds Access: The user can input an index equal to the length of the rewardsOwned[msg.sender]
array, which leads to an out-of-bounds access. This can result in unintended behavior, such as accessing invalid memory, corruption of data, or potential vulnerabilities in the contract's logic.
Contract Instability: If an out-of-bounds access occurs and the contract attempts to read or delete data that doesn’t exist, the contract can either revert or behave in undefined ways, leading to the failure of the contract's intended functionality.
Potential Exploitability: While this specific vulnerability may not lead to direct exploitation (such as financial gain by an attacker), it introduces unpredictability and risk to the contract. Attackers may attempt to exploit this error in combination with other vulnerabilities to manipulate contract behavior.
Manual Review
To fix this issue, the index check should strictly ensure that _index
is less than the length of the array:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.