The TreasureHunt contract defines a full set of custom errors at the top of the file (including multiple OnlyOwner... errors, HuntNotOver(), NoFundsToWithdraw(), TheContractMustBePaused(), etc.) and even includes an onlyOwner modifier.
However, none of the custom errors are ever used. All owner-restricted functions and the onlyOwner modifier instead revert with the older, less gas-efficient require(condition, "ERROR_STRING") pattern.
solidity
Likelihood:
Every call to any owner-restricted function (fund, pause, unpause, withdraw, updateVerifier, emergencyWithdraw)
The pattern is used consistently across the entire admin surface of the contract
Impact:
Increased gas costs on every admin transaction (string errors are more expensive than custom errors)
Larger deployed bytecode size due to embedded string data
Inconsistent and outdated error handling (the contract already uses custom errors in claim() but not for owner checks)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.