(HIGH) Duplicate hash in `ALLOWED_TREASURE_HASHES` makes one treasure permanently unclaimable and leaves an inventory mismatch between the circuit and the deploy script.
Location: circuits/src/main.nr:55-66 (duplicate at lines 64-65); circuits/src/tests.nr:30
Description
The Noir circuit bakes in 10 allowed Pedersen hashes in circuits/src/main.nr. Indexes 8 and 9 are identical:
But circuits/Prover.toml.example and contracts/scripts/Deploy.s.sol both say the correct hash at index 8 should be:
Treasure #9 (whose hash is -4417726...) is therefore not in the allowed set of the circuit. Anyone who physically finds treasure #9 cannot generate a valid proof and cannot claim the reward. The workaround is visible in circuits/src/tests.nr:30, where the test author uses treasure 10 twice and skips 9 entirely:
Risk
Likelihood: High any time a finder of treasure #9 tries to claim, the circuit rejects their proof.
Impact: Medium. One physical treasure is bricked; the ETH allocated to treasure #9 is stranded. The circuit still reaches MAX_TREASURES = 10 because treasure #10's hash matches both the duplicate entries
Proof of Concept
The simplest way to show the bug is to try to generate a proof for treasure #9 using its real hash (-4417726...). The circuit's is_allowed check fails:
Run:
The test body is marked should_fail because main() will assert-fail at assert(is_allowed(treasure_hash)) proving that treasure #9's real hash is not in the circuit's allowed set.
Recommended Mitigation
Replace the duplicate at index 8 with the correct hash and regenerate the verifier via ./build.sh. Restore the test to enumerate all 10 unique treasures.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.