Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

M-01: Unnecessary Public Entry Function

agilegypsy

Root + Impact

Description

Internal utility functions should be marked as public when only called by other contract functions to maintain proper access control
The get_random_slice() function is marked as public entry but is only used internally by claim_slice(), allowing unnecessary external calls

@> public entry fun get_random_slice(): u8 {

let now = timestamp::now_microseconds();

let random_value = now % 8;

random_value as u8

}

Risk

Likelihood:

External actors can directly call get_random_slice() without going through proper claim mechanics
Direct calls consume gas and provide no meaningful functionality to external callers

Impact:

Unnecessary gas expenditure for external callers who invoke the function directly
Potential confusion about contract interface and intended usage patterns

Proof of Concept

// External actor can call this function directly

public fun demonstrate_unnecessary_access() {

// This call succeeds but provides no value to caller

let slice = get_random_slice();

// Caller spent gas but gained no pizza slice or meaningful result

// The function should only be callable internally by claim_slice()

// but current visibility allows wasteful external calls

}

The public entry modifier makes the function callable by external transactions, but the function only returns a random number without any state changes or meaningful operations. External callers waste gas calling a function that provides no benefit outside the internal contract logic.

Recommended Mitigation

- public entry fun get_random_slice(): u8 {

+ public fun get_random_slice(): u8 {

let now = timestamp::now_microseconds();

let random_value = now % 8;

random_value as u8

}

Removing the entry modifier prevents direct external calls while maintaining internal accessibility. The public visibility allows claim_slice() to call the function internally, but external transactions cannot invoke it directly. This follows the principle of least privilege by restricting function access to its intended usage pattern.

Updates

Appeal created

bube Lead Judge 11 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can call `get_random_slice` function

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.