SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Deployment Script Can Permanently Lock ETH via Incorrect Initial Funding Assumptions

Author Revealed upon completion

Root + Impact

Description

  • The deployment script funds TreasureHunt with ETH so rewards can be paid out to valid ZK proof claimants.

The script blindly trusts an environment variable for funding and performs no sanity checks relative to REWARD * MAX_TREASURES, allowing underfunded or misfunded deployments that permanently break reward distribution.

//@> No validation that initialFunding >= REWARD * MAX_TREASURES
uint256 initialFunding = vm.envOr("INITIAL_FUNDING", DEFAULT_INITIAL_FUNDING);
hunt = new TreasureHunt{value: initialFunding}(address(verifier));
require(hunt.getContractBalance() == initialFunding, "UNEXPECTED_BALANCE");

Risk

Likelihood:

  • Occurs whenever deployment is done with a misconfigured .env file or reused deployment scripts across networks

Occurs during rushed contest / hackathon / production deployments

Impact:

  • Rewards become unclaimable for later users

ETH becomes permanently stuck with no withdrawal mechanism

Proof of Concept

INITIAL_FUNDING = 10 ether
REWARD = 10 ether
MAX_TREASURES = 10
→ Only first treasure can be paid
→ Remaining 9 valid proofs revert forever

Recommended Mitigation

- remove this code
+ add this code
+uint256 requiredFunding = hunt.REWARD() * hunt.MAX_TREASURES();
+require(initialFunding >= requiredFunding, "INSUFFICIENT_INITIAL_FUNDING");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!