Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Self-transfer and wrong array manipulation in transferReward()

newspacexyz

Summary

The transferReward() function lacks validation to prevent transferring rewards to oneself, which could create unexpected behavior. Additionally, the function has a potential issue related to array manipulation and state management. Specifically, the use of delete on an array element could lead to inconsistencies, such as leaving gaps in the array.

Vulnerability Details

The function allows a user to transfer rewards to their own address, which could create redundant or unnecessary operations and possibly result in unexpected behavior. There's no validation to prevent transferring rewards back to the sender.
The function uses the delete operation to remove an element from the rewardsOwned array. However, delete does not remove the element from the array but instead resets it to its default value (in this case, a zero-value Reward struct). This creates a gap in the array, which can lead to problems if the array is iterated over later or if users expect the array to be tightly packed.

Impact

Transferring rewards to oneself may not result in an immediate vulnerability, but it introduces unnecessary complexity and could cause confusion or unexpected behavior in the contract’s state.
The array may become fragmented, with gaps where deleted elements were, leading to inefficiencies and potential errors when accessing or iterating over the array.

Tools Used

Manual review

Recommendations

function transferReward(address _to, uint256 _index) public {

+ require(_to != msg.sender, "Cannot transfer to self");

require(_index < rewardsOwned[msg.sender].length, "Invalid index");

rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);

rewardsOwned[msg.sender][_index] = rewardsOwned[msg.sender][rewardsOwned[msg.sender].length - 1];

delete rewardsOwned[msg.sender].pop();

}

Updates

Appeal created

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.