Submission Details
Severity:
Treat Array duplication
Summary
Root Cause: treatNames array can contain duplicates
Impact: Inflated array size and incorrect enumeration
Vulnerability Details
https://github.com/Cyfrin/2024-10-trick-or-treat/blob/main/src/TrickOrTreat.sol#L37-L41
Every call to addTreat pushes to treatNames array without checking for duplicates:
function addTreat(string memory _name, uint256 _rate, string memory _metadataURI) public onlyOwner {
treatList[_name] = Treat(_name, _rate, _metadataURI);
@> treatNames.push(_name);
emit TreatAdded(_name, _rate, _metadataURI);
}
POC
function testTreatArrayDuplication() public {
spookySwap.addTreat("Candy", 1 ether, "uri1");
spookySwap.addTreat("Candy", 2 ether, "uri2");
// treatNames now has duplicate "Candy" entries
string[] memory treats = spookySwap.getTreats();
// treats.length is 2 but should be 1
}
Impact
Inflated array size and incorrect enumeration.
Tools Used
Recommendations
Add a mapping to keep track of particular treat name.
mapping(string => bool) private _treatExists;
function addTreat(string memory _name, uint256 _rate, string memory _metadataURI) public onlyOwner {
require(!_treatExists[_name], "Treat already exists");
treatList[_name] = Treat(_name, _rate, _metadataURI);
treatNames.push(_name);
_treatExists[_name] = true;
emit TreatAdded(_name, _rate, _metadataURI);
}
Updates
Appeal created
bube 9 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[invalid] Duplicate treats
The function `addTreat` is called by the owner. The owner is trusted. There will be no duplicates.
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.