Aptos Pizza Drop

Cyfrin

Beginner FriendlyGameFi

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

Use of Magic Numbers

sageceo

Root + Impact

The function relies on hardcoded constants (401, 100) instead of named parameters or configuration values. Developers may misconfigure reward calculations during updates, causing unintended payout ranges.

Description

Normal behavior: The reward calculation should use clearly defined constants for transparency and maintainability.
Issue: The function uses hardcoded numbers (401, 100, 500) directly in the logic. These "magic numbers" lack context and make the contract harder to audit, maintain, and upgrade. More importantly, they obscure the intended reward range and could introduce inconsistencies if later modified in multiple places.

// Magic numbers in calculation

let random_val = time % 401; //@> 401 is unexplained

let random_amount = 100 + random_val; //@> 100 and 500 implied

Risk

Likelihood:

Reason 1 High chance of introducing errors if values need to be updated
Reason 2 Always present during maintenance or upgrades.

Impact:

Impact 1 Reduced readability and auditability.
Impact 2 Misconfiguration risk leading to unintended reward ranges (e.g., if only one number is updated).

Proof of Concept

If developers later decide to change rewards to 50–250, they must update both 100 and 401. Missing one update would create an unintended range.

Recommended Mitigation

Define named constants for reward parameters and reference them instead of magic numbers.

+ const MIN_REWARD: u64 = 100;

+ const MAX_REWARD: u64 = 500;

+ const REWARD_RANGE: u64 = MAX_REWARD - MIN_REWARD;

- let random_val = time % 401;

- let random_amount = 100 + random_val;

+ let random_val = time % (REWARD_RANGE + 1);

+ let random_amount = MIN_REWARD + random_val;

Updates

Appeal created

bube Lead Judge 12 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

125

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.