Aptos Pizza Drop
Cyfrin
Beginner FriendlyGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The contract only sends 100-500 Octas to users instead of 100-500 APT

strapontin

Root + Impact

From several places in the documentation: "Any pizza lover can register and claim a random slice size between 100-500 APT", but the code mistakenly sends 100-500 Octas instead (10^8 Octas = 1 APT). This means users will get a much smaller share than expected.

Description

When the owner registers a new pizza lover, he calls register_pizza_lover with the user address. The random slice is generated by the following lines:

let random_val = time % 401;
let random_amount = 100 + random_val; // 100-500 APT (in Octas: 10^8 smallest unit)
table::add(&mut state.users_claimed_amount, user_addr, random_amount);

This adds in the table the amount in Octas to send to the user. Then, claim_pizza_slice, the amount send is not upscaled to APT:

@> let amount = *state.users_claimed_amount.borrow(user_addr);
// Check if contract has sufficient balance
assert!(state.balance >= amount, E_INSUFFICIENT_FUND);
// Register user to receive APT if not already registered
if (!coin::is_account_registered<AptosCoin>(user_addr)) {
coin::register<AptosCoin>(user);
};
// @audit-issue : Sends Octas to user, not APT
@> transfer_from_contract(user_addr, amount);

Due to this, the program sends 100-500 Octas to users instead of APT.

Risk

Likelihood: High

  • The program will always send less amount than expected

Impact: High

  • Users receive 10^8 less amount than expected

Recommended Mitigation

Upscale the amount send to 10^8 to convert it from Octas to APT

- table::add(&mut state.users_claimed_amount, user_addr, random_amount);
+ table::add(&mut state.users_claimed_amount, user_addr, random_amount * 10^8);
Updates

Appeal created

bube Lead Judge 12 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect APT value

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.