Submission Details
Severity:
Units mismatch (APT vs octas)
Root + Impact
Description
Normal behavior: Specs state each user receives 100–500 APT.
Issue: The implementation assigns 100–500 octas (the smallest APT unit), which equals 0.000001–0.000005 APT. This is 10⁸× smaller than stated.
entry fun get_random_slice(user_addr: address) acquires ModuleData, State {
let state = borrow_global_mut<State>(get_resource_address());
let random_val = /* ... */; // 0..400
@> let random_amount = 100 + random_val; // interpreted as "APT", but this is raw octas
table::add(&mut state.users_claimed_amount, user_addr, random_amount);
}
Risk
Likelihood:
Occurs every time a slice is assigned; the unit mismatch is systemic.
Impact:
Users receive 10⁸× less than promised (e.g., 500 octas = 0.000005 APT).
Recommended Mitigation
Either (A) adjust code to mint/transfer in octas for 100–500 APT, or (B) change docs to say “octas”.
- let random_amount = 100 + random_val; // 100–500 octas
+ let random_amount_apt = 100 + random_val; // 100–500 APT (human-readable)
+ let random_amount = random_amount_apt * 100_000_000; // convert to octas (10^8)
Rewards breakdown
nSLOC
125This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.