Mystery Box

First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

Incorrect Index Bound Check in claimSingleReward() Leading to Out-of-Bounds Vulnerability

Vulnerability Details

In the claimSingleReward() function, the index bound check is incorrect, which can lead to an out-of-bounds vulnerability. The issue stems from the following line:

require(_index <= rewardsOwned[msg.sender].length, "Invalid index");

This condition is incorrect because it allows the index _index to be equal to rewardsOwned[msg.sender].length. Since Solidity arrays are zero-indexed, valid indices for an array of length n range from 0 to n-1. If _index is equal to rewardsOwned[msg.sender].length, it points to an index that is out-of-bounds, which could cause unexpected behavior.

For example:

  • If rewardsOwned[msg.sender] has a length of 3, valid indices should be 0, 1, and 2. However, with the current check, _index = 3 would be allowed, which is out of bounds and could result in accessing invalid memory or leading to a runtime error.

Impact

  1. Out-of-Bounds Access: The user can input an index equal to the length of the rewardsOwned[msg.sender] array, which leads to an out-of-bounds access. This can result in unintended behavior, such as accessing invalid memory, corruption of data, or potential vulnerabilities in the contract's logic.

  2. Contract Instability: If an out-of-bounds access occurs and the contract attempts to read or delete data that doesn’t exist, the contract can either revert or behave in undefined ways, leading to the failure of the contract's intended functionality.

  3. Potential Exploitability: While this specific vulnerability may not lead to direct exploitation (such as financial gain by an attacker), it introduces unpredictability and risk to the contract. Attackers may attempt to exploit this error in combination with other vulnerabilities to manipulate contract behavior.

Tools Used

Manual Review

Recommendations

To fix this issue, the index check should strictly ensure that _index is less than the length of the array:

require(_index < rewardsOwned[msg.sender].length, "Invalid index");
Updates

Appeal created

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.