SNARKeling Treasure Hunt

First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
Submission Details
Impact: low
Likelihood: low

Bypass of Intended flow -> Missing msg.value() check in constructor

Author Revealed upon completion

Root + Impact

Description

  • The contract explicitly states that on deployment, the contract should be funded (line 74 )

  • It can be bypassed and deployed with no funds, potentially breaking the contract for time being for future users

constructor(address _verifier) payable {
if (_verifier == address(0)) revert InvalidVerifier();
//@> missing require statement here
owner = msg.sender;
verifier = IVerifier(_verifier);
paused = false;
// Owner should fund 100 ETH at deployment (10 treasures × 10 ETH).
}

Risk

Likelihood:

  • This may occur during deployment

  • Impact:

    ->At the very least, some of the users gas could get wasted, due to broken logic, because it will be missing requirements the contract is designed for.

Proof of Concept

I updated the source code, so that it could successfully compile, and be deployed without the need of missing files

pragma solidity ^0.8.27;
import {Test} from "../lib/forge-std/src/Test.sol";
import {console} from "../lib/forge-std/src/console.sol";
import {TreasureHunt} from "../src/TreasureHunt.sol";
contract DeploymentWithoutFunds is Test {
// contract owner
address owner = makeAddr("owner");
// contract
TreasureHunt contractObject;
function setUp() external {
// fund owner address
vm.deal(owner, 1005 wei);
}
function test_Deploy() external {
// try to deploy contract below 100 ether
contractObject = new TreasureHunt{value: 1000 wei}();
// read funds
console.log("funds of contract at:", contractObject.getContractBalance());
// check condition
assertLt(contractObject.getContractBalance(), 100 ether);
}
}

Recommended Mitigation

+ require(msg.value >= 100 ether)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!