Data Drift: Inefficient Reward Transfer Leading to Array Gaps
Summary
The transferReward function in the MysteryBox contract introduces inefficiencies by deleting rewards from the array without reordering or compacting it. This approach leaves gaps in the data structure, potentially causing inefficiencies and complicating future data management.
Vulnerability Details
The function uses the delete keyword to remove an element from the rewardsOwned array, which sets the element to its default value but does not reduce the array's length or reorder the remaining elements.
The line delete rewardsOwned[msg.sender][_index]; is where the element is set to its default value, creating a gap in the array.
Impact
Gaps in the array can lead to incorrect assumptions about the data structure, potentially causing errors in logic that processes the array.
Tools Used
Manual review
Recommendations
Instead of using delete, replace the element to be removed with the last element in the array and then reduce the array's length. This approach maintains a contiguous array without gaps.
Appeal created
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.