Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

M0. Unit Bug in Payouts

accessdenied

Root + Impact

Description

The pizza_drop::airdrop module is designed to randomly assign each registered user between 100 and 500 APT during the registration phase. A user can then claim this amount from the resource account.

However, the code treats these values as octas (the smallest denomination of APT, 1 APT = 100_000_000 octas) without scaling them properly. This means that instead of receiving 100–500 APT, users only receive 100–500 octas (≈0.000001–0.000005 APT).

Specific Issue

The bug originates in the get_random_slice function, which assigns random_amount directly to the user’s claim amount:

#[randomness]

entry fun get_random_slice(user_addr: address) acquires ModuleData, State {

let state = borrow_global_mut<State>(get_resource_address());

let time = timestamp::now_microseconds();

let random_val = time % 401;

@> let random_amount = 100 + random_val; // BUG: interpreted as octas, not APT

table::add(&mut state.users_claimed_amount, user_addr, random_amount);

}

The comment claims "100–500 APT," but the code delivers "100–500 octas," which is 1/100,000,000th of the intended value.

Risk

Likelihood: High

The code path is exercised every time a user registers.
All users are affected; no special conditions required.

Impact: Medium

Users receive effectively worthless payouts (~fractions of a cent) instead of full APT.
The contract owner may mistakenly fund far less than needed, believing payouts are in APT.

This is a severe economic bug: the contract fails its core purpose as an airdrop.

Proof of Concept

Convert the value to octas (10^8) in aptos tests will allow to catch the bug

assert!(assigned_amount >= 100_000_000_000 && assigned_amount <= 500_000_000_000, 3);

Recommended Mitigation

Scale the payout by 1e8 to correctly express APT in octas:

- let random_amount = 100 + random_val; // 100–500 octas (BUG)

+ const OCTAS_PER_APT: u64 = 100_000_000;

+ let random_amount = (100 + random_val) * OCTAS_PER_APT; // 100–500 APT

Additionally, update the comment to clarify units and avoid confusion.

Updates

Appeal created

bube Lead Judge 9 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect APT value

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.