BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Missing Input Validation for Empty Team Names in setCountry()

0xsnoweth

Root + Impact

Description

Normal:

The setCountry() function should validate that all team names are non-empty strings before populating the teams array, ensuring users can only bet on properly named teams.

Issue:

  • The setCountry() function lacks validation to prevent empty strings from being set as team names. While this doesn't break core withdrawal logic (empty strings are handled correctly by keccak256 comparison), it creates poor user experience and potential confusion.

function setCountry(string[48] memory countries) public onlyOwner {
for (uint256 i = 0; i < countries.length; ++i) {
// @> No validation for empty strings
teams[i] = countries[i];
}
emit CountriesSet(countries);
}

Risk

Likelihood:

  • Occurs when owner accidentally or maliciously sets empty strings during tournament setup

  • More likely with manual configuration or integration errors

Impact:

  • Users see empty team names in UI/events, causing confusion

  • CountriesSet event emits empty strings, making off-chain tracking difficult

Recommended Mitigation

function setCountry(string[48] memory countries) public onlyOwner {
for (uint256 i = 0; i < countries.length; ++i) {
+ require(bytes(countries[i]).length > 0, "Empty team name not allowed");
teams[i] = countries[i];
}
emit CountriesSet(countries);
}
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!