[M-1] Gas Limit Vulnerability in Winner Shares Calculation Leading to Contract Lockup

Description

The _getWinnerShares function performs an unbounded iteration through all user addresses to calculate total winner shares. For large tournaments with many participants, this operation will exceed block gas limits, causing the setWinner function to consistently revert, permanently preventing winner selection.

Risk

Likelihood:

• This vulnerability will occur once the number of participants in the tournament exceeds approximately 2,000-5,000 users, triggering an inevitable gas limit error when the owner attempts to set the winner.

• Tournament betting systems typically aim to attract large numbers of participants, making it almost certain this threshold will be reached in a successful deployment.

Impact:

Once the usersAddress array exceeds ~2,000-5,000 entries (depending on gas limits), the setWinner function becomes permanently unusable

• This creates a systemic contract lockup where no winner can ever be selected

• All user funds become permanently trapped in the contract, as withdrawals require winner selection

• This vulnerability is guaranteed to trigger in popular tournaments with moderate participation

Proof of Concept

The PoC demonstrates how the contract fails when too many users join:

This occurs because _getWinnerShares() must iterate through all participants (5,000) to calculate total shares for the winning team, exceeding Ethereum's block gas limit. Once this happens, the contract is permanently locked - no winner can be set, and no user can withdraw funds.

Recommended Mitigation

The fix eliminates the unbounded loop in _getWinnerShares() by tracking shares incrementally:

This approach prevents gas limit issues by:

1. Calculating totals incrementally during join/cancel operations

2. Removing the O(n) iteration through all users

3. Making share calculations constant time regardless of participant count