Repeated value in `ALLOWED_TREASURE_HASHES` makes the intended 10 treasures unreachable
Root + Impact
Description
The last value in ALLOWED_TREASURE_HASHES array in main.nr is repeated which makes the total claimable value to be nine instead of the intended 10.
https://github.com/CodeHawks-Contests/2026-04-snarkeling/blob/f563199227dd06c21e94c228b4460d81a6d0eed4/circuits/src/main.nr#L55-#L65
Risk
Likelihood:
High
Impact:
Only nine treasures will be claimable. Yet the intended are 10
Proof of Concept
Nil
Recommended Mitigation
Consider adding the intended value, and remove the duplicate.
Lead Judging Commences
unclaimable treasure / bricked withdraw path
The issue stems from a mismatch between the circuit and the contract’s economic assumptions: the Solidity contract is configured for `MAX_TREASURES = 10` and only allows the owner to call `withdraw()` once `claimsCount >= MAX_TREASURES`, while the Noir circuit’s baked-in `ALLOWED_TREASURE_HASHES` array does not actually contain ten distinct treasures because one hash is duplicated and another expected hash is missing. As a result, under the intended one-claim-per-treasure design described in the README, there are only nine uniquely claimable treasures even though the system is funded and accounted as if ten rewards can be legitimately redeemed. That creates two linked consequences from the same root cause: first, one treasure is effectively unclaimable because no valid proof can ever be generated for the missing allowed hash, and second, the normal “hunt over” withdrawal path becomes bricked because honest participants can never reach ten legitimate unique claims, leaving the post-hunt fund recovery logic via `withdraw` function permanently unreachable. The owner can still intervene through the emergency path.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.