SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

[H-03] Logic error in claim() prevents any sucessful reward distribution

Author Revealed upon completion

Description

  • The claim function is intended to mark a specific treasureHash as claimed in the contract's storage to prevent it from being reused.

  • The contract accidentally attempts to update a global state variable _treasureHash (which is always empty/zero) instead of the actual treasureHash passed as an argument. Because the contract then checks if the provided hash is claimed, the logic fails to track the correct treasures, eventually bricking the claim process for valid users.

Solidity

function claim(bytes calldata proof, bytes32 treasureHash, address payable recipient) external nonReentrant() {
// ...
@> claimed[_treasureHash] = true; // Root cause: Updates the wrong variable (global instead of local)
}

Risk

Likelihood:

  • This bug triggers every single time a user calls the claim function, making it a 100% certainty upon the first interaction.

Impact:

  • Contract Inoperability: The mapping fails to record the actual treasures found, leading to inconsistent state and preventing users from successfully completing the hunt logic as intended.

Proof of Concept

Solidity

function test_WrongVariableUpdated() public {
bytes32 realHash = keccak256("treasure_1");
hunt.claim(mockProof, realHash, payable(user));
// The mapping for the actual hash remains false
assertEq(hunt.isClaimed(realHash), false);
// The empty global variable was updated instead
assertTrue(hunt.isClaimed(bytes32(0)));
}

Recommended Mitigation

Diff

- claimed[_treasureHash] = true;
+ claimed[treasureHash] = true;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!