Discrepancies in Expected Number of Rewards after Deletion
Summary
The transferReward function includes a delete statement that resets a reward to its default value. This can lead to discrepancies in the expected number of rewards, as the array length remains unchanged, potentially causing issues in subsequent reward management operations.
Vulnerability Details
The transferReward function is designed to transfer a specific reward from one user to another.
The delete operation sets the reward at the specified index to its default value but does not reduce the array's length.
Impact
Users may experience incorrect counts of available rewards or attempts to transfer or claim non-existent rewards, leading to potential user frustration and operational errors.
Tools Used
Manual Review
Recommendations
Discrepancies in the expected number of rewards after deletion can be eliminated by replacing the deleted reward with the last element in the array and reducing the array length.
Appeal created
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.