Use of delete to remove an array element will mess up storage.
Summary
The element of the array is set to its default value of zero but array lenght remains the same.
Vulnerability Details
The functions; transferReward(), claimAllRewards() and claimSingleReward() use delete rewardsOwned[msg.sender][_index]; to remove an item from the rewardsOwned[msg.sender] array. In Solidity, delete does not reduce the length of the array. Instead, it sets the element at _index to its default value but the array length remains the same. This can lead to "gaps" in the array and doesn't fully remove the reward from msg.sender's ownership.Over time, users could accumulate many "empty" entries in their rewardsOwned array, leading to inefficient use of storage and potential confusion when accessing rewards.
Impact
Gaps in storage will occur
Tools Used
Manual review
Recommendations
Replace the last element of the array with the _indexand the reduce the legth of the array using pop()
Appeal created
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.