Stale Registered Shares After Cancellation Inflates Winner Denominator
Title: Stale Registered Shares After Cancellation Inflates Winner Denominator
Impact: When a participant cancels, their on‑chain registered share mapping (userSharesToCountry) is not cleared. Later, computing totalWinnerShares sums stale entries and reduces winners’ payouts.
Evidence: cancelParticipation burns tokens and refunds principal but does not clear mapping entries used by _getWinnerShares.
Recommendation (formal mitigation):
On cancelParticipation, zero-out or delete userSharesToCountry[msg.sender][registeredCountryId] and remove userToCountry and userCountryId mappings.
Remove the participant from usersAddress using a swap-and-pop pattern and clear hasJoined flag to prevent duplicate counting.
Add unit tests validating _getWinnerShares before and after cancellations.
Illustrative fix:
Medium Finding (F-004)
Title: deposit() Overwrites stakedAsset Instead of Accumulating
Impact: Multiple deposits by the same user overwrite stakedAsset[receiver], under‑reporting refundable principal on cancel and causing loss of funds.
Evidence: stakedAsset[receiver] = stakeAsset; used instead of additive update.
Recommendation (formal mitigation):
Use cumulative accounting: stakedAsset[receiver] += stakeAsset; and ensure userSharesToCountry is also incremented cumulatively.
Add unit tests for multiple deposits and ensure cancelParticipation refunds the sum of deposits proportional to burned shares.
Minimal fix:
Appeal created
`cancelParticipation` Leaves Stale Winner Data
CancelParticipation burns shares but leaves the address inside usersAddress and keeps userSharesToCountry populated.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.