In main.nr, the last two values of the hardcoded ALLOWED_TREASURE_HASHES array are identical. This means that, in reality, only 9 unique treasures can generate valid proofs. However, MAX_TREASURES is set to 10 in the contract, and the withdraw function requires:
This makes it impossible for the owner to ever use the withdraw function to retrieve unclaimed funds after the hunt is over.
Likelihood: High
This is a hardcoded logical error.
It occurs when 9 treasures are claimed and the last hunter cannot obtain a reward.
Impact: High
the owner will never be able to call withdraw() to extract remaining funds or unclaimed rewards, and can only rely on emergencyWithdraw to urgently send ETH to a specified address.
One of the two hunters that found the treasure with same treasureHash couldn't get the reward.
Hunters find all possible treasures.
9 treasures are claimed; the last hunter cannot obtain a reward. claimsCount equals 9.
After the hunt is over, the Owner attempts to withdraw the remaining 10 ETH. Calling withdraw() triggers require(9 >= 10), and the transaction fails.
Update the Noir Circuit
The root cause lies in the Noir circuit definition. Ensure that the ALLOWED_TREASURE_HASHES array in main.nr contains 10 unique Pedersen hashes. This ensures that there are 10 distinct valid secrets, allowing claimsCount to reach MAX_TREASURES.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.