Mystery Box

First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

Self-transfer and wrong array manipulation in transferReward()

Summary

The transferReward() function lacks validation to prevent transferring rewards to oneself, which could create unexpected behavior. Additionally, the function has a potential issue related to array manipulation and state management. Specifically, the use of delete on an array element could lead to inconsistencies, such as leaving gaps in the array.

Vulnerability Details

  • The function allows a user to transfer rewards to their own address, which could create redundant or unnecessary operations and possibly result in unexpected behavior. There's no validation to prevent transferring rewards back to the sender.

  • The function uses the delete operation to remove an element from the rewardsOwned array. However, delete does not remove the element from the array but instead resets it to its default value (in this case, a zero-value Reward struct). This creates a gap in the array, which can lead to problems if the array is iterated over later or if users expect the array to be tightly packed.

Impact

  • Transferring rewards to oneself may not result in an immediate vulnerability, but it introduces unnecessary complexity and could cause confusion or unexpected behavior in the contract’s state.

  • The array may become fragmented, with gaps where deleted elements were, leading to inefficiencies and potential errors when accessing or iterating over the array.

Tools Used

Manual review

Recommendations

function transferReward(address _to, uint256 _index) public {
+ require(_to != msg.sender, "Cannot transfer to self");
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);
rewardsOwned[msg.sender][_index] = rewardsOwned[msg.sender][rewardsOwned[msg.sender].length - 1];
delete rewardsOwned[msg.sender].pop();
}
Updates

Appeal created

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.