* First parameter in the `add()` function should be type `Bytes32Set` instead of `struct Set`
Summary
first parameter in the add() function should be type Bytes32Set, but actual parameter mapping userDeposits[msg.sender] is fanally defined as struct Set { bytes32[] _values; mapping(bytes32 => uint256) _indexes; }.
Vulnerability Details
first parameter in the add() function should be type Bytes32Set, but the actual parameter there is userDeposits[msg.sender],and then userDeposits[msg.sender] --> mapping (address => EnumerableSet.UintSet) userDeposits --> struct UintSet { Set _inner; } --> struct Set { bytes32[] _values; mapping(bytes32 => uint256) _indexes; };
Impact
The wrong data type is used, it lead to incorrect deposit tracking, which can affect user withdrawals and overall contract functionality.
Tools Used
manual
Recommendations
Ensure that the data type used in the userDeposits mapping aligns with the expected data type in the add() function. If the intention is to use Bytes32Set, update the mapping accordingly.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.