SNARKeling Treasure Hunt

First Flight #59

Beginner FriendlyGameFiFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Incorrect Use of Uninitialized Immutable Breaks Claim Tracking Logic

Author Revealed upon completion

Description

The contract incorrectly uses an uninitialized immutable variable _treasureHash when checking whether a treasure has already been claimed.

Instead of using the function parameter treasureHash, the contract performs the check using _treasureHash, which is never assigned in the constructor and therefore defaults to bytes32(0).

As a result, the duplicate claim protection does not correctly apply to individual treasures, and the mapping logic becomes inconsistent with the intended design.

This breaks the invariant that each treasure should be uniquely claimable only once.

Risk

The contract incorrectly uses an uninitialized immutable variable _treasureHash when checking whether a treasure has already been claimed.

Instead of using the function parameter treasureHash, the contract performs the check using _treasureHash, which is never assigned in the constructor and therefore defaults to bytes32(0).

This breaks the intended claim uniqueness logic and causes incorrect state tracking for treasure claims.

Impact:

Claim tracking is incorrect
Only bytes32(0) is checked for duplication
Real treasure hashes are not properly protected
Claim logic diverges from intended design

Severity:

High

🧪 Proof of Concept

The issue occurs because the contract checks an uninitialized storage variable instead of the input parameter.

Step 1 — User submits a valid claim

claim(proof, treasureHash, recipient);

Step 2 — Incorrect state check is performed

Inside the claim function:

if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);

However:

_treasureHash is never initialized
It defaults to bytes32(0)

Step 3 — Actual behavior

The contract always evaluates:

claimed[bytes32(0)]

instead of:

claimed[treasureHash]

Step 4 — Result

Only the zero hash key is ever checked
Real treasure hashes are not properly tracked
Claim uniqueness enforcement is broken

🛠️ Recommended Mitigation

The contract should correctly use the function parameter treasureHash for claim tracking.

✅ Fix

Replace:

if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);

With:

if (claimed[treasureHash]) revert AlreadyClaimed(treasureHash);

🧹 Optional Improvement

Remove the unused variable to prevent confusion:

bytes32 private immutable _treasureHash;

🧠 Expected Outcome After Fix

Each treasure is tracked correctly
Duplicate claims are properly prevented
Contract behavior matches intended design

Rewards breakdown

nSLOC

220

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!