Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

H-01: Units Misconfiguration in Random Amount Generation

georgibuilds

Root + Impact

Description

The PizzaDrop contract generates reward amounts in base Octas instead of APT tokens as advertised. Users receive microscopic amounts (0.000001-0.000005 APT) instead of the promised substantial rewards (100-500 APT).

The get_random_slice() function generates random values between 100-500 without converting to proper APT decimals (multiplying by 10^8 Octas per APT).

move// Line 125-126 in pizza_drop.move

let random_amount = 100 + random_val; // Generates 100-500 Octas instead of APT

table::add(&mut state.users_claimed_amount, user_addr, random_amount);

Risk

Likelihood:

Every user registration triggers this bug automatically
100% of participants receive incorrect reward amounts
No special conditions required for exploitation

Impact:

Users receive 55,248,619x less value than advertised
Complete protocol failure - advertised value proposition becomes worthless
Reputational damage and potential legal issues for false advertising

Proof of Concept

This vulnerability occurs every time a user is registered. The following steps demonstrate the issue: 1. Contract is deployed and funded with APT 2. Owner registers any user via register_pizza_lover() 3. get_random_slice() assigns 100-500 raw values as "APT amounts" 4. User claims and receives microscopic amounts instead of substantial rewards The PoC above shows a user assigned 181 Octas (0.00000181 APT) when expecting 100-500 APT - a difference of over 55 million times less value.

// Deploy and fund contract

aptos move publish --profile local --named-addresses pizza_drop=local

aptos move run --function-id 'local::airdrop::fund_pizza_drop' --args u64:1000000 --profile local

// Register user and check assigned amount

aptos move run --function-id 'local::airdrop::register_pizza_lover' --args address:0xUSER_ADDRESS --profile local

aptos move view --function-id 'local::airdrop::get_claimed_amount' --args address:0xUSER_ADDRESS --profile local

// Result: 181 Octas assigned (0.00000181 APT)

// Expected: 100-500 APT

// Difference: 55,248,619x less than promised

Recommended Mitigation

The fix requires proper decimal conversion when generating reward amounts. Instead of using raw numbers, multiply by the APT decimal factor (100,000,000 Octas per APT) to ensure users receive the advertised token amounts rather than base units. This ensures the random range 100-500 represents actual APT tokens as described in the project documentation.

- let random_amount = 100 + random_val;

+ let random_amount = (100 + random_val) * 100_000_000; // Convert to Octas (APT * 10^8)

Updates

Appeal created

bube Lead Judge 12 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect APT value

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.